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No. 1 anti-spam filter 
Over 80,000 customers 
Over 60 awards 
Lowest market price for SMBs 


With over 60 awards to its name, 80,000 satisfied customers and unbeatable price-performance, GFI MailEssentials for 
Exchange/SMTP/Lotus is a best-of-breed anti-spam package that is easy to set up, uses two anti-spam engines to ensure 
a high spam capture rate of over 98% and also removes the need to install and update anti-spam software on each desktop. 
Eliminate spam from your mail server with the following key features: 

• Server-based anti-spam and anti-phishing - Detects and blocks spam and phishing emails 

• Bayesian filtering - Detects over 98% of spam based on statistical message analysis 

• SpamRazer - Provides an additional layer of anti-spam protection 

• Automatic whitelist management - Keeps whitelists up-to-date without extra admin 

• Attachment spam check - Detects image, PDF, Excel, ZIP and mp3 spam 

• Email header analysis and keyword checking - Blocks spam based on message field info and keywords 

• #1 anti-spam solution - Over 60 awards and 80,000 customers 

• Unbeatable pricing - $207.20 for 10 mailboxes, $414 for 25 mailboxes 

• And much more! 

Voted MSExchange.org Readers' Choice Award Winner in the Anti-Spam Category four times, GFI MailEssentials is the 
number one server anti-spam solution at unbeatable pricing! 
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Don’t Let the Economic Crisis 
Become an IT Crisis 

Keeping systems up and running through tough financial times 


I t's a time of dire predictions, gloomy 
forecasts and slashed budgets. But 
because companies must survive, it's 
also a time of doing everything possible 
to patch systems together and keep 
them running. System demand has 
never been higher, and because of the 
financial crunch, so has the necessity 
to "make do with what you've got." 
Those new servers will have to wait 
until next quarter. Those old work¬ 
stations are going to have to hold up. 
It's a true test of an IT crew, kind of like 
a battleship's crew in combat. 

Your company is heavily dependent 
on the performance you provide them. 
Any system downtime for any reason 
means lost time and profit. The same 
can be said for slow performance—the 
longer it takes to get something done, 
the longer a customer has to wait, the 
more possibility of being cut off by the 
competition or angering a customer so 
they go someplace else. 

Fragmentation Robs Production 
and Performance 

File fragmentation is a key factor 
that cripples system performance 
and threatens reliability all across the 
enterprise. It causes system slowdowns 
resulting in lost production and help 
desk calls. It also allows for hard drive 
lives that can be shortened by 50 percent, 
due to the excessive I/O activity to 
retrieve fragmented files. 

"We constantly had servers running 
slowly and getting really fragmented 
from constant file access," said Jim 
Bernal, Senior Network Engineer with 
Howe, Barnes, Hoefer & Arnett in 
Chicago, Illinois. "Over time, file access 
would almost halt or take minutes to 
access a file. We also had problems with 
users logging in with domain controllers 
sometimes rejecting users because of 
timeouts in communicating with our 
DNS servers." 

Scheduled defragmentation- 
including the "free" offering—doesn't 
actually solve the problem. Time 
windows in which to schedule defrag 
have become less and less, thanks to 
escalating 24X7 server operation at 



“With fragmentation exerting 
such a severe toll on system 
performance, it’s quite likely that 
many organizations have initiated 
hardware upgrades unnecessarily. By 
using an enterprise defragmentation 
utility, it is possible to achieve 
performance gains that meet or 
exceed many hardware upgrades. 
From a cost standpoint alone, 
this is an attractive proposition.” 

— IDC White Paper, Reducing Downtime 
and Reactive Maintenance: The ROI of 
Defragmenting the Windows 0 Enterprise 

many companies. In between the 
scheduled runs that do occur, frag¬ 
mentation continues to build and 
impact performance. And scheduled 
defrag also causes its own cost overrun: 
the valuable IT time required to 
analyze and schedule defragmentation 
for each drive. 

The Small Investment with Huge ROI 

The one investment that pays for 
itself many times over in restored 
performance and hardware life is new 
Diskeeper® 2009 with InvisiTasking® 
technology. Once installed, Diskeeper 
invisibly and automatically maintains 
performance from that day forward. 
Performance is consistently maximized, 
there is never a negative performance 
hit from defrag, and scheduling is 
never required. 

"Since implementing Diskeeper on 
our servers and workstations, we've 


improved system performance tenfold," 
said Mike Ciccarone, IT Coordinator 
with Town of Fountain Hills, Fountain 
Hills, Arizona. "The automatic defrag¬ 
mentation jobs not only improve system 
efficiency but the effectiveness of our 
limited Information Technology staff. 
We now have time to perform other 
necessary tasks to help support our 
users and to roll out new services." 

"With Diskeeper, our servers have 
been up almost 99% of the time with 
no downtime, except to install updates 
from Microsoft® or when a server reboot 
was necessary," said Bernal. "And file 
access is lightning fast." 

Keeping Economic Troubles Out of IT 

Don't let the economic crisis become 
an IT crisis. Put Diskeeper with 
InvisiTasking to work in your company 
—and put performance and reliability 
problems behind you. 

"I think you can do the math on how 
much we saved not having to buy new 
machines, not to mention the man¬ 
power I did not have to use constantly 
working on the machines," said Derik 
A. Hammond, IT Operations Supervisor 
with L-3 Photonics in Carlsbad, 
California. "The savings to the programs 
and my stress level cannot be measured. 
It even looks like some of the machines 
will actually get close to a four-year life 
span due to Diskeeper." 

SPECIAL OFFER: 

Try Diskeeper 
with InvisiTasking 
FREE for 45 Days! 

Download at: 

www.diskeeper.com/wincrisis 

Volume licensing and Government/Education discounts 

are available from your favorite reseller or by calling 

1-800-829-6468, code 4158. 

For test results, white papers and case studies, visit 

www.diskeeper.com/winpapers 

Diskeeper 


with InvisiTasking 


I • © 2008 Diskeeper Corporation. All Rights Reserved. Diskeeper, InvisiTasking, and the Diskeeper Corporation logo are either registered trademarks or trademarks owned by Diskeeper Corporation 

If* in the United States and/or other countries. All other trademarks and brand names are the property of the respective owners. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 
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EVERYTHING BUT MICROSOFT 


James 

"I'd rather drive a Ferrari than a Ford, 
but cost is the kicker." 



OpenOffice 3.0 Challenges Microsoft Office's Dominance 

Once considered a pale imitation, OpenOffice 3.0 is the best Office alternative yet 


W hen it comes to office productivity suites, Micro¬ 
soft Office has become the de facto standard for 
millions of companies, schools, organizations, 
and individuals. It also isn't cheap ($500 retail 
for Office Professional 2007), a fact that isn't lost 
on cost-conscious IT pros. "As a small company, 
we have to maintain a tight IT budget," IT Director Jack Miller said 
in an email sent to Windows IT Pro back in 2007. "In 2005, we were 
still running Windows 98 and Microsoft Office 97. When Microsoft 
announced it wouldn't be supporting these products anymore, I 
knew we had to upgrade but didn't have enough money 
in my budget to upgrade both products." Miller opted for 
the Windows XP upgrade, dumping Microsoft Office in 
exchange for OpenOffice, an open-source alternative. 

Miller's story isn't unique. As budgets get squeezed, 
many IT pros look for inexpensive alternatives to 
costly existing solutions. OpenOffice is a valid alterna¬ 
tive for some, but the lack of file compatibility with 
Microsoft Office 2007 and a somewhat kludgy interface 
helped keep the product a niche player. OpenOffice 
3.0 addresses many of those concerns. If you're an IT 
pro looking to migrate to Office 2007, you should give 
OpenOffice 3.0 a look; you can download it at www 
.openoffice.org . (A quick aside to the OpenOffice mar¬ 
keting team: Please dump the tortuous "OpenOffice. 
org" product name and stick with OpenOffice, which 
I've taken the liberty of doing in this column.) 

After spending a few days with the latest release, I'm convinced 
that OpenOffice 3.0 can be a viable Office alternative for many. Like 
Microsoft Office, OpenOffice consists of several applications bundled 
in one suite, including a word processor, flat-file database, presenta¬ 
tion program, and spreadsheet. Each of these separate OpenOffice 
apps offers a host of upgrades and improvements over OpenOffice 
2.0, ranging from improved support for additional languages and bet¬ 
ter performance, to a new Start Center feature and a number of other 
interface and user-experience improvements. If you're accustomed 
to the pre-Office 2007 locations for your File, Edit, View, and other 
pull-down menus, OpenOffice will feel like a comfortable old shoe. 
Figure 1 shows the OpenOffice Start Center. 

The biggest gripe many users had with OpenOffice was file 
incompatibility with Microsoft Office, and OpenOffice 3.0 goes a 
long way towards addressing that gripe. The new version now reads 


(but does not write) Microsoft Office XML files such as the .docx, 
.xlsx, and .pptx formats. During my testing, these document types 
rendered well, with just a few minor errors and glitches, primarily 
in large, complex documents that make extensive use of advanced 
Office features (e.g., comments, revisions). OpenOffice 3.0 also sup¬ 
ports Microsoft Access 2007 .accdb files, offers improved support 
for Visual Basic for Applications macros, and reads and writes the 
emerging ODF 1.2 and Office Open XML (OOXML) document for¬ 
mats. The OpenOffice community is also developing new plug-ins 
and feature improvements that you can download from the Ope¬ 
nOffice.org extensions 
repository at extensions. 
services.openoffice.org. 
And OpenOffice 3.0 is the 
first version of OpenOffice 
to offer a native OS X ver¬ 
sion for Macintosh users. 

On a feature-to-feature 
comparison basis, Micro¬ 
soft Office 2007 is clearly 
the more robust and capa¬ 
ble application. I'd rather 
drive a Ferrari than a Ford, 
but cost is the kicker: How 
many people truly use all 
the features and function¬ 
ality of every Microsoft 
Office application? On the flipside, any IT pro will tell you that even 
free applications require resources for deployment, maintenance, 
and user training. 

All that said, OpenOffice 3.0 is an undeniably attractive alter¬ 
native to Office 2007 for many organizations. The Office suite has 
always been considered a cash cow for Microsoft, but new products 
such as OpenOffice 3.0—as well as cloud-based solutions such as 
Google Docs and Zoho—might force Redmond to put that bulky 
bovine on a "get more for less" exercise regimen. 

InstantDoc 100545 

JEFF JAMES (jjames@windowsitpro.com) is senior editor, products, for 
Windows IT Pro and SQL Server Magazine. He specializes in virtualization 
and terminal services and has over 15 years of experience as a writer and 
digital-content producer. 



Figure 1. The OpenOffice Start Center 
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■ Split-Brain DNS 

■ Dogfooding 


■ Championing 64-bit 

■ PowerShell 101 


Split-Brain DNS Clarification 

I don't claim to be a DNS expert, but I 
think Michael Dragone's article—"Split- 
Brain DNS" (September 2008, InstantDoc 
I D 99772) —needs clarification. If a 
domain has sites that exist internally and 
externally and will have both internal and 
external users, you must have records 
on both the internal and external zones. 
Otherwise, internal queries for an exter¬ 
nal site that doesn't exist in the internal 
zone will fail. The internal DNS server 
finds the zone locally, and when it doesn't 
find the host you're looking for, it gives up 
without forwarding up to a higher name 
server. 

—John Meola 



In the article, I assume that an external zone 
is already set up and that an internal zone 
is being added. Although it's not specifi¬ 
cally stated that you must add additional 
host records for your domain and not just 
a record for www (as the example shows), 
such is indeed the case. Note that these 
zones don't have to—and likely won't — 
identically match. Your internal zone is likely 
to resolve queries to private IP addresses 
instead of public IP addresses as your exter¬ 
nal one will, and you might not need all 
the host names in both. For example, there 
would be little need to resolve "remote 
vpnaccess.mydomain.com" internally. 

—Michael Dragone 


LETTERS@WINDOWSITPRO.COM 


Do We Really Want Dogfood? 

Has it occurred to anyone that the phrase 
dogfooding (a vendor's practice of using the 
same products it sells to customers) implies 
that the product is dogfood and that the 
customers are dogs? Maybe we should 
consult an oracle before we dream up more 
industry-standard terms... or at least a com¬ 
mon heckler. 

—Thomas Inwood 

64-Bit Champion 

I was dismayed to read Ken Spinks's letter in 
the October 2008 edition of Windows IT Pro 
because it reinforced a common misconcep¬ 
tion about 64-bit systems. He writes that he 
bought a lesser PC for his wife because he 
"didn't want extra (i.e., 64-bit related) prob¬ 
lems with printers, scanners, cameras, or 
software.'The assumption is that 32-bit driv¬ 
ers will be more prevalent and better than 
their 64-bit counterparts. However, the exact 
opposite is true. 

For Windows Vista logo certification, 
Microsoft required only 64-bit drivers, which 
means these were the only drivers that 
experienced the rigorous testing required for 
certification. My personal experience bears 
this out: My business laptop running the 
64-bit version of Vista Ultimate works with 
all my peripherals and is far more stable and 
reliable than the 32-bit version of Vista Ulti¬ 
mate that I run on my home PC. Mr. Spinks 
could have still run a 32-bit version of Vista 
on the upscale PC that he passed over. PCs 
with 64-bit AMD or Intel processors are fully 
backward-compatible and will run either a 
32-bit or 64-bit OS. 

—Alan J. Walsh 

Disabling Automatic SUA Startup? 

I enjoyed John Howie's "Move Apps from 
UNIX to Windows with SUA" (September 
2008, InstantDoc I D 99588) . I'm considering 


Articles like these 
are the reason I 
subscribe to your 
magazine. 

using the feature in Vista, but I'm curious 
whether Subsystem for UNIX-Based Appli¬ 
cations (SUA) must start up with Windows. 
I'd like to disable automatic SUA startup at 
system startup and instead have it launch 
only when I run an SUA application. Can I 
do that? 

—Jonathan Hanson 

SUA isn't a traditional Windows service; it's 
an optional subsystem, started when the 
system boots. In the days of Windows NT, both 
the OS/2 and POSIX subsystems shipped "in 
the box." Now, POSIX is an optional extra. It's 
configured in the HKEY_LOCAL_MACHINE\ 
SYSTEM\CurrentControlSet\Control\Session 
Manager\SubSystems\Option registry subkey 
(of type REG_MULTI_SZ and value Posix). If 
the registry entry is present, you'll see another 
sub key (under the same key) called Posix, which 
contains the value %SystemRoot%\system32\ 
psxss.exe. This is the POSIX subsystem execut¬ 
able, which runs at startup. There's no support 
for starting it after the system has started. 

—John Howie 

PowerShell Knockout 

I just want to commend Windows IT Pro on 
Robert Sheldon's fantastic PowerShell series 
("PowerShell 101," February-July 2008). And 
you capped it off in September with the five- 
page knockout "Managing AD User Accounts 
with PowerShell"(InstantDoc ID 99760) . 
Articles like these are the reason I subscribe 
to your magazine. ^ 

—Adeogun Adedamola 

InstantDoc ID 100596 


■ In the comparative review on"SharePoint Backup Tools" (November 2008, 
OPS ■ l nstantDoc ID 100126), the price for Quest Software's Recovery Manager for 
SharePoint should have been $4,995. We apologize for the error. 
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Humphries 

The missing link to 
IT resources 


Cloud Computing: Future or Farce? 

The search for truth amidst rumors and buzzwords 



ONLINE 

windowsitpro.com 


Become Your Group's Expert— 
Windows IT Pro Resources 

The Windows IT Pro community is all 
about content. Visit windowsitpro 
.com/resources and find a library of 
information: white papers, essential 
guides, eBooks, pocket guides, pod¬ 
casts, and more. Whatever your area of 
interest, you're sure to find what you're 
looking for. Get smarter—download a 
resource today! 
www.windowsitpro.com/resource 5 
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Manage Costs in Your Enterprise 

Download this eBook and get a solid 
foundation in the basics of business 
process automation (BPA), a look at 
the way BPA tools work, and how they 
can be utilized to benefit both IT and 
overall business efficiencies. Learn 
where BPA fits into your business pro¬ 
cess, how it differs from other script¬ 
ing and scheduling techniques, and 
how your business can benefit from 
implementing a BPA solution. 
Download today! 
www.windowsitpro.com/go/BPA 

Maximize Your SharePoint 
Investment 

Get your data moving! Attend this 
web seminar to learn how bidirec¬ 
tional replication of SharePoint con¬ 
tent between servers enables branch 
offices and remote sites with slow net¬ 
work connections to maintain imme¬ 
diate access to current SharePoint 
content, even in failover scenarios. 
www.windowsitpro.com/go/syntergy 
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I never believed in Santa Claus. This 
revelation shocks most everyone 
who hears it. I have to look into 
the concerned, slightly teary eyes 
of the person I'm talking with and 
confirm that I never made cookies 
for an old, fictitious man in anticipation of 
his breaking and entering to give me mate¬ 
rial goods for doing exactly what I was sup¬ 
posed to do anyway: behave. But I turned 
out just fine—albeit a little cynical. And as I 
read the Windows IT Pro network coverage 
about cloud computing, I'm beginning to 
suspect that the reasons behind the cloud 
computing rage may be just as fictitious as 
ol' Saint Nick. 

In a May 25 blog post on the SuperSite 
for Windows (www.windowsitpro.com/go/ 
cloudcomputing) , Paul Thurrott describes 
cloud computing as "obtaining computing 
resources—processing, storage, messag¬ 
ing, databases and so on—from someplace 
outside your own four walls, and paying 
only for what you use." And in the August 
2008 web-exclusive article "Gartner: Cloud 
Computing Is Reshaping IT" (InstantDoc 
ID 100115 ), Paul further touts the potential 
of cloud computing, stating, "In many ways 
Gartner is just waking up to what much 
of the IT world has understood for years: 
Cloud computing is real, it's happening 
now, and it will transform IT." 

But just as I start to believe, I see com¬ 
ments from readers that put a raincloud 
over my head. Commenting on Paul's May 
blog post, reader Suraky said that cloud 
computing is "just another meaningless 
buzzword." And in response to the August 
web-exclusive article, Bruce Arnold com¬ 
mented, "The only true cloud computing 


November's Online Gold Mine 

• Find out why Firefox is so popular 
(InstantDoc ID 100550) 

• A Q&A on Internet Explorer Content 
Advisor (InstantDoc ID 100614) 

• Part two on System Center Data Pro¬ 
tection Manager 2007 (InstantDoc ID 
100549) 

• Recover deleted files in Outlook 
(InstantDoc ID 100556) 


takes place in aircraft. What they're actually 
referring to by 'the cloud' is a large-scale 
and often remotely located and managed 
computing platform. We have had those 
since the dawn of electronic IT." He goes 
on to write that "any journalist that makes 
a buzz out of cloud computing and web 2.0 
should probably be on the market for a job 
instead of wasting time talking nonsense." 
(Hopefully this counts as more of a rumble 
than a buzz.) 

In my search for better understanding, 
I turn to Executive Editor Amy Eisenberg. 
In her blog post "TechEd in the Cloud" 
(InstantDoc ID 99433) , Amy expresses her 
initial feeling of deja vu: "While the name 
might be new, the concept is not. The basic 
idea is Internet software delivery. Can you 
say hosted services?" She goes on to say 
that she's warmed up to cloud computing 
because "times have changed." 

So help me through this haze called 
cloud computing: Is it worth believing in or 
is it just an old, dressed-up uncle trying to 
fool everyone? ^ 

InstantDoc ID 100568 
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It’s an Asset! y/It’s Evidence! 


75 Percent 

of corporate intellectual property is 
sent through email messages and 
their attachments * 


77 Percent 

of companies involved in legal or 
regulatory actions had email requested 
as part of the discovery process * 


DISCOVER • RECOVER • EXPORT 


DISCOVER: Create and reuse advanced queries to search a 
single data source or across multiple Backup Copies of 
Exchange Information Stores or Live Exchange Servers 

as well as PST’s and DigiVault data sets to find the required 
evidence within emails, attachments and meta-data. 

RECOVER: Use DigiScope’s intuitive Outlook interface to 
restore information via drag-&-drop to a specific location 
or select SingleTouch™ recovery to automatically restore 
mailboxes, folders, or individual items to original locations 
within the live Exchange Server. 

EXPORT: Search results can be optionally de-duplicated 
and then exported to multiple formats including, XML, 
MSG, and PST’s with various options to support data 
migration as well as further review or legal analysis. 


Lucid8’s 

EMI 


LIVE WEEKLY 
DEMOS 


FREE DOWNLOADS 

• Demo version of DigiScope 

• White Papers 

• FRHP F-mail niconx/^rx/ R. Ym i 


eDiscovery and Recovery for Microsoft® Exchange 


^Source: Enterprise Strategy Group 


Copyright © 2008 Lucida" Ail rights reserved. All other trademarks are property of their respective owners. 
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Thurrott 

"A primary advantage of VMM 2008 overVMware 
tools is that the Microsoft product can see further 
into each VM than can its competition." 


NEED TO KNOW 


Microsoft System Center Virtual Machine Manager 2008 


W ith Microsoft's virtualization platform reaching 
maturity in 2008, the company's offerings now 
span the PC desktop, small-to-midsized busi¬ 
nesses (SMBs), enterprises, and even the larg¬ 
est data centers. What's missing is centralized 
management, especially in large environments. 
Businesses need ways to manage environments in which virtual 
and physical machines interact, automate the distribution of virtual¬ 
ized resources, and consolidate legacy physical servers into virtual 
environments. The new version of Microsoft's virtual environment 
management product addresses those needs. Here's what you need 
to know about Microsoft System Center Virtual Machine Manager 
2008 (VMM 2008). 

What Is VMM 2008? 

VMM is a data-center management server that provides functionality 
specific to virtualized environments. Key functionality includes the 
ability to convert legacy and underutilized hardware servers into vir¬ 
tual machines (VMs); provision, deploy, and manage VMs and other 
virtual assets; and automatically optimize a virtualized infrastructure. 
VMM 2008 also provides virtual-to-virtual (V2V) conversion facilities 
for moving VMs off of VMware ESX Server. 

Heterogeneous Management 

VMM 2008 can manage all of Microsoft's virtual environment server 
products, including Microsoft Virtual Server 2005 R2, Windows 
Server 2008 Hyper-Y and Microsoft Hyper-V Server 2008. That's to 
be expected. But it can also manage VMware ESX Server, a surprising 
boon for those who run heterogeneous environments. 

In a recent briefing, Microsoft program manager David Armour 
told me that VMM 2008 treats ESX Server as a "first-class citizen," 
providing access to the most frequently needed ESX Server manage¬ 
ment functions. But it also lets you leverage unique VMM functional¬ 
ity, such as automated VM placement, VMM's Microsoft SQL Server 
2005-based library, and the like. 

As a member of the System Center family of management prod¬ 
ucts, VMM 2008 produces and can consume System Center alerts and 
can trigger actions based on those alerts. This integration with key 
System Center products such as Operations Manager 2007 means that 
it's possible to monitor physical and virtual machines from a single 
interface, while leveraging virtualization-specific functionality. The 
VMM 2008 UI is also similar to that of other System Center products 


and is modeled after that of Ops Manager, helping admins get up and 
running quickly. 

And as with many other recent Microsoft administrative consoles, 
the VMM console is built entirely on top of Windows PowerShell—so 
everything you can do from the GUI is possible via scripting as well. It's 
also possible to perform actions in the GUI and find out what underly¬ 
ing scripts are used to perform those actions, then use those scripts as 
the basis for automated routines of your own. 

Automated VM Deployment 

VMM 2008 analyzes the virtualization hosts in your environment and 
recommends the most appropriate physical servers for your virtual¬ 
ized workloads. This feature, called Intelligent Placement, can also 
work in an automated fashion if desired, moving virtual assets from 
host to host as needed and on the fly. After VMs are deployed, you can 
monitor their settings and manage their placement accordingly. 

The VMM 2008 library provides a central location for managing 
and storing virtual assets such as VMs, virtual hard disks (VHDs), 
ISO files, profiles, customization scripts and sysprep answer files, and 
templates. You can implement multiple libraries in large, distributed 
environments to prevent WAN-based performance problems. 

A new VMM 2008 feature, Performance and Resource Optimiza¬ 
tion (PRO), optimizes virtualized resources using performance and 
health data provided by Ops Manager 2007 management packs. VMM 
2008 also integrates with the failover clustering feature in Windows 
Server 2008, giving your virtualized environments cluster-aware, high- 
availability functionality. 

Installing and Using VMM 2008 

Unlike Microsoft's free VM management tool, Hyper-V Manager, 
VMM 2008 must be installed in an Active Directory (AD) domain. (VM 
hosts don't need to be domain members, however.) It can be installed 
on top of Server 2008 x64 only and includes a copy of SQL Server 2005 
Express, which the VMM library and reporting functionality require. 
It can also use existing SQL Server installations, including SQL Server 
2008. You can install the VMM 2008 admin console on Windows Vista 
SP1, Windows Server 2003, and Windows XP SP3. A self-service portal, 
which you can install on Server 2008 and Windows 2003R2, lets you 
provide VMM functionality via an intranet. You need to install a VMM 
2008 agent on each host and library server. 

Compared to Hyper-V Manager, VMM 2008 offers an amazing 
amount of additional functionality. The UI is more sophisticated and 
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provides advanced filtering and host groups, 
letting you view logical groups of VMs on any 
number of physical hosts in a single view. A 
resizable preview window lets you view run¬ 
ning VMs, limiting the need to connect to the 
VM and open it in a separate window. This 
filtering and grouping also makes managing 
clusters of VM hosts much easier. 

Most of VMM 2008 ; s advanced tools are 
accessible via simple wizards. The Migrate 
Virtual Machine Wizard rates potential tar¬ 
get hosts in a migration and lets you easily 
pick an appropriate destination. Migration 
of Hyper-V-based VMs is not instantaneous, 
but is nearly so; migration of ESX Server VMs, 
however, is instantaneous thanks to that sys¬ 
tem's live migration facilities. (Live Migration 
is coming to Hyper-V in Windows Server 2008 
R2.) Every wizard has a View Script button, so 
you can see the PowerShell code that's being 
generated under the hood and apply it to 
your own scripts. 

In use, VMM 2008's library is a veneer 
over the underlying file system. As you navi¬ 
gate through subfolders such as ISOs, Scripts, 


Templates, and VHDs, you're seeing a repre¬ 
sentation of these objects as they are literally 
stored in Explorer. 

The VMM 2008 Self-Service Portal is 
interesting as well. This web application lets 
end users start, stop, and pause VMs, make 
check points, and perform other related 
actions, all without involving a support call. 
Available VMs can be shown in a text-based 
list view or a more graphical thumbnail view, 
which provides a live glimpse into the run¬ 
ning VMs. 

A primary advantage of VMM 2008 over 
VMware tools is that Microsoft can see fur¬ 
ther into each VM than can its competition. 
Thanks to the System Center management 
pack integration, you can dig into each VM 
and manage the underlying workloads as 
well. 

So whereas VMware is limited to identi¬ 
fying the OS utilized by the VM, VMM 2008 
can go further and, for example, determine 
whether Microsoft IIS is installed. Then you 
can view the event log and perform other 
lower-level work. 


Recommendations 

VMM 2008 is a sophisticated solution and 
is far more capable than the freebie Hyper- 
V Manager, as expected. But what makes 
VMM 2008 so compelling is its interopera¬ 
bility prowess: It works with all of Microsoft's 
virtualization servers and with VMware ESX 
Server. It integrates with System Center and 
provides a seamless, centralized manage¬ 
ment interface for physical and virtual 
machines. And it can utilize the failover 
and high-availability features of Server 2008 
to provide data-center-ready virtualized 
environments. Ultimately, VMM 2008 will 
most interest those who manage large data 
centers. But it will make deploying and 
managing virtualized environments easier 
for businesses of all sizes. ^ 

InstantDoc ID 1Q0524 

PAULTHURROTT (thurrott@windowsitpro 
.com) is the news editor for Windows IT Pro. 

He writes a weekly editorial for Windows IT Pro 
UPDATE (www.windowsitpro.com/email) and 
a daily Windows news and information 
newsletter called Winlnfo Daily UPDATE 
(www.wininformant.com). 



Get ahead of the game 


Want to give your team the edge? 

Join Front Runner for Innovate On today. 


In the software business, the difference between a touchdown and a fumble is 
good preparation. So get your playbook in order, and kick off the next stage of 
your team's development now. 

You'll get end-to-end support for Microsoft® SQL Server® 2008, from technical 
troubleshooting to marketing advice. Not only that, but your people can blitz 
our training resources and learn the latest development power plays. 

When you're ready for your big moment, our lightning-quick marketing templates 
will help you get the message out to your customers. You'll also earn the right to 
put the Front Runner badge on all your own communications. Wear it with pride, 
and let the crowd know you're one of the first to develop on SQL Server 2008. 


Go deep. 

Go to www.innovateon.com/frontrunner 
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Finally, Affordable Enterprise-Class Archiving 


Introducing Sunbelt Exchange Archiver. Sunbelt 

Exchange Archiver (SEA) is a robust new product which 
delivers real enterprise-class email archiving, at a price that 
won’t break your budget. Get comprehensive legal and 
regulatory compliance. Reduce your Exchange storage by 
up to 80 %. Securely store emails on your choice of media, 
using the built-in Hierarchical Storage 
Management. And, find archived emails 
rapidly with full-text search for e-discovery 
or compliance. 


Compliance, e-Discovery, and legal 
readiness. If you need to archive emails 
for regulatory or legal reasons, SEA has 
you fully covered. Emails are stored in 
their original form, in whatever secure 
media you prefer, with complete flexibility 
on retention. Need to find an archived 
email? Simply use SEA’s powerful 
integrated full-text search of emails and 
attachments, and you’ll be ready at a 
moment’s notice for e-discovery or legal 
requests. 

Seamless end-user experience. SEA 

is fully transparent for your users, whether 
they’re running Outlook, OWA, Blackberry 
devices or even Entourage on the Mac - with 
no special client software needed. Trusted 
end users can be delegated granular authority 
with the included web-interface or optional Outlook 
add-in. They can do off-line synchronization, and search, 
edit, forward, move or delete archived emails. 



Most Valuable Product 


Up to 80% smaller message store. With SEA, you’ll 
dramatically reduce your Exchange storage. The benefits are 
clear: faster backup times, better Exchange performance, 
and faster recovery. 

Journaling not required. It’s a fact that using the 

Exchange Journaling mailbox for archiving 
dramatically affects server performance. 
With SEA, Journaling is an option - the 
program’s breakthrough Direct Archiving 
feature stores all emails immediately after 
they are received, keeping load off the 
Exchange server. 


"Exchange performance 
is suffering. Your users 
complain about email 
storage. Your CEO wants 
legal compliance. 

Now what?" 


No more PST headaches! SEA gets 
rid of pesky PST files that are a major 
admin headache. SEA automatically finds 
them, imports them, and makes them part 
of your user’s archive. 

Great for disaster recovery. No 

matter where you email is stored, business 
continuity is assured with SEA. Using the 
included web client, users can continue to 
see and use their email even if Exchange is 
down. 

Archiving’s time has come for 
everyone. Contact us today and see how 
SEA solves your legal and compliance 
headaches and immediately improves the performance of 
Exchange - while saving critical budget dollars. 




■ 





Sunbelt Software 


Get a Free Quote and See How Cost-effective Sunbelt Exchange Archiver Really Is! 

Email sales@sunbeltsoftware.com or call 888-688-8457 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

© 2007-2008 Sunbelt Software. All rights reserved. Sunbelt Exchange Archiver is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners. 


















WINDOWS POWER TOOLS 


Minasi 

"The extremely complex mathematics underlying 
product-key and license verification add up to one 
of the most important weapons in Microsoft's 
arsenal in its war on piracy." 



Control Your Licensing with Slmgr 

Tame the necessary evil that is Windows Product Activation 


T he annoyance that is Windows Product Activation used 
to plague only small businesses and home PC users, but 
now that Windows Vista and Windows Server 2008 use 
it, we all have to grapple with it. Your primary client-side 
tool for managing a system's software licensing is called 
Slmgr (slmgr.vbs). Need to change a product key or acti¬ 
vate a system from the command line? Want to extend Server 2008's 
60-day grace period to 240 days? Not sure whether your computer's 
license is a volume, retail, or OEM license? If so, you need Slmgr. 

Putting It to Work 

If you have systems without a GUI or systems that need to activate 
via a batch file, Slmgr's -ato option is useful. To activate a system, 
simply open an elevated command prompt and type 

slmgr -ato 

If you're working on a system that's using either a retail copy or 
a volume license copy of Windows that's been activated with the 
Multiple Activation Key (MAK), Slmgr attempts to contact Micro¬ 
soft's activation web servers. However, if the system is running a 
copy of Windows built from the volume license media and has been 
activated with the Volume License Key (VLK), Slmgr knows that it 
should instead try to contact your organization's Key Management 
Server (KMS). When Slmgr requires Microsoft's servers, it already 
knows those Internet addresses. But if Slmgr needs to find your KMS 
server, it needs to ask its local DNS server to resolve an SRV record 
that reveals your local KMS server's host name: 

_vlmcs._tcp.<your organization’s DNS zone name> 

For example, bigfirm.corn's SRV records identifying its KMS 
server would be _vlmcs._tcp.bigfirm.com. Sometimes, though, 
technical configuration problems or institutional constraints keep 
that SRV record out of your organization's DNS zone, and Slmgr 
can't activate your copy of Windows. But if you know your local KMS 
server's host name or IP address, you can tell your Vista or Server 
2008 system to activate via that KMS server by using the command 

slmgr -skms <server name or IP address>[:<port>] 

So, if your KMS server is named kmsl.bigfirm.com, you'd type 

slmgr -skms kmsl.bigfirm.com 

The optional colon and port number point to the fact that activation 


traffic runs over port 1688, by default; if you've reconfigured your 
KMS server to use another port (e.g., port 2010), you'd extend the 
Slmgr -skms command by suffixing a colon and that port number 
to the KMS server's name. For example, 

slmgr -skms kmsl.bigfirm.com:2010 

Before you can activate a copy of Windows, you need to give it a 
product key. The easiest method is to make liberal use of the greatly 
improved setup scripts in Vista and Server 2008. But if you need to 
install or change a product key from the command line, the -ipk 
("install product key") option can help. For example, 

slmgr -ipk YGR45-THIS9-WONT5-0WORK-D7667 

would enter the YGR45-THIS9-WONT5-OWORK-D7667 product key. 

Have you ever needed to know whether a system license is an 
OEM, retail, or volume license? The Slmgr -dli command shows 
your Windows version (e.g., Vista Ultimate, Server Enterprise), the 
final five characters in your product key, the licensing state, whether 
you've activated, and—if not yet activated—how many minutes you 
have left. The Slmgr -dlv command also reveals that information, 
along with a few more activation details and several URLs to places 
on Microsoft's site that appear not to work anymore. 

Finally, suppose you don't yet want to activate your copy of Win¬ 
dows for some reason. Vista gives you a 30-day grace period, and 
Server 2008 gives you 60 days, but both OSs also let you reset those 
grace periods four times, making Vista's actual grace period about 
120 days and Server 2008's about 240 days. To reset it, just open an 
elevated command prompt and type 

slmgr -rearm 

Take Control 

If you're running Slmgr for the first time to do anything but activate 
a system, you might notice that it's slow. I suspect that the extremely 
complex mathematics underlying product-key and license verifica¬ 
tion add up to one of the most important weapons in Microsoft's 
arsenal in its war on piracy—although no one at Microsoft has ever 
confirmed this suspicion. Regardless, dealing with activation is no 
fun, but at least Slmgr lets you take greater control of it. ^ 

InstantDoc ID 100477 
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Otey 

"My favorite Vista Sidebar utility 
is PowerShell Gadget. It's just as good as 
a PowerShell Here prompt." 


Windows Vista Sidebar Gadgets 

Try these fun and useful additions to the side of your screen 


lthough I'm a bit dismayed at their insistence on tak¬ 
ing over the right side of my screen, some of Windows 
Vista's gadgets for Windows Sidebar can be rather 
handy. Like mushrooms in the fall, gadgets are begin¬ 
ning to pop up everywhere, but there's only so much 
room in the Sidebar. To help you populate your Side- 
bar with only the best tools, here are my top 10 favorite Sidebar gad¬ 
gets. The gadgets here (other than numbers 1 and 10) are available 
from Microsoft Live Gallery at gallery.live.com. fust type the name of 
the gadget into the search box near the top of the page. Live Gallery 
also provides hundreds of other gadgets, so if none of these interest 
you, you can surely find something that does. 

Weather— Yeah, it's just the weather, but it's kind of handy to 
U have a couple of Weather gadgets for remote locations where 
your friends are located. On the Sidebar, the gadget shows your 
chosen city's name, a weather graphic, and the temperature. The 
Weather gadget comes with Vista and you can add it by using the 
Sidebar's Add Gadgets option. 

O Auction Sidebar Tool for eBay— If you're addicted to eBay— 
and who isn't?—this should be right up your alley. The gadget 
lets you search for and monitor auctions and place bids. It's 
certified by eBay, which should quell worries about a security break¬ 
down hurting your seller or buyer rating. 

O Wikipedia Search —Admit it: You use Wikipedia. So do I. Wiki¬ 
pedia is a regular stop for research on many topics. Although 
it's a bit big for the sidebar, the Wikipedia Search gadget lets you 
quickly enter Wikipedia searches from your desktop. The Wikipedia 
search results are displayed in your browser window. There are two 
gadgets with this name on Live Gallery. I recommend the one by 
“fredeq." 

O messenger —If you use Windows Live Messenger for instant 
messaging, you might want to check out the messenger gadget. 
It shows which of your contacts are online, any alerts, and your 
Windows Live email status. 

O IP Webcam Gadget— I have a remote IP webcam in the office, 
and the IP Webcam Gadget gives me a handy window to the 
webcam right on my laptop's desktop when I'm travelling from 


office to office. It took a bit of manual editing to put the address 
of the webcam in the included .htm file, but after that it worked 
well. 

O minilP —The minilP gadget gives you a quick display of your 
external IP information. It reports your IP address and host- 
name, as well as location information, including your current 
city and county. 

O Vista Shutdown Control —Vista Shutdown Control gives you 
a convenient way to shut down your Vista system. The gadget 
also has buttons that let you restart the system and lock the 
desktop. This gadget could be just what you're looking for if you 
don't like Vista's process for powering off your computer or if you 
often need to lock it manually. 

O Speed Test —Speed Test is a system performance monitor. 
Unlike some of the other performance gadgets out there, 
Speed Test displays all of its system information in a graph. 
The gadget can monitor a wide variety of system statistics, including 
CPU, RAM, and bandwidth usage; ping response time; Wi-Fi signal 
strength; and battery charge. 

O ((System Monitor))— If you're running one of today's quad- 
core processors, you've got to wonder exactly how much each 
of those cores is really being used. The ((System Monitor)) 
gadget gives you a quick look at your system's IP address and the 
status of its CPU, RAM, and battery in bar graph form. The gadget 
supports monitoring up to four cores. 

O PowerShell Gadget— My favorite Sidebar utility is PowerShell 
Gadget. This gadget is just as good as a "PowerShell Here" 
prompt—like the Command Here add-on for Windows XP. 
PowerShell Gadget lets you enter PowerShell commands right 
into the collapsed gadget. You can also expand it into a complete 
PowerShell console window. You can find PowerShell Gadget at 
andrewpeters.net/powershell-gadget. ^ 
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2008 New Features (Osborne/McGraw-Hill). 
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WHAT WOULD MICROSOFT SUPPORT DO? 


Morales 

"User dumps, when analyzed, 
can contain valuable clues about 
what caused a process crash." 



Simplify Process Troubleshooting with DebugDiag 

Find the cause of a crash, hang, or memory leak faster using this debugging tool 


W hen troubleshooting application-stability 
concerns and performance problems such 
as crashes, hangs, and high memory usage, 
sometimes you need to examine the process 
that was active when the problem occurred. To 
complicate troubleshooting, server applications 
such as Microsoft IIS, Exchange Server, SQL Server, COM+, and 
BizTalk Server often display no UI and restart automatically without 
indicating what caused them to fail. Having the right debugging tool 
to isolate a problem can make finding the solution much easier. For 
such problems, Debug Diagnostic Tool (DebugDiag) is often a better 
choice than other debugging tools such as ADPlus, Userdump, and 
WinDbg. I'll explain why and will walk you through using Debug¬ 
Diag to troubleshoot a process crash. 

Why Use DebugDiag? 

To understand why DebugDiag is often a good choice for Windows 
process troubleshooting, let's first look at why a process might crash. 
A process crash is an unexpected program termination when a pro¬ 
cess exits abnormally. Typically the crash is caused by an unhandled 
exception; however, it could also occur when the process detects 
a problem condition and exits without an exception (for instance, 
process recycling caused by excess memory utilization). 

A commonly used workaround is to restart the process or service 
in hopes that whatever caused the crash will no longer occur. But to 
really determine what caused the problem and to fix it, you must 
analyze the process state at the time of failure. You could capture 
a process's state at any time by generating a user dump file. User 
dumps are generated by any Windows debugger and have the file 
extension .dmp, .hdmp, or .mdmp. The main Windows debuggers 
for processes are Windbg, Cdb, and ntsd, and their user dumps, 
when analyzed, can contain valuable clues about what caused a 
process crash. Accurately analyzing a process dump file can require 
some expertise. That's where DebugDiag comes in: It makes the 
analysis portion of the troubleshooting process much simpler. 

DebugDiag combines many key features from each of the Win¬ 
dows Debugging Tools (ADPlus, Userdump, and WinDbg) and 
includes a rich UI, which helps make the tool easy to use. You 
can download the latest version of DebugDiag at www.microsoft 
.com/downloads/details.aspx?familyid=28bd5941 -c458-46fl -b24d- 

f60151d875a3. DebugDiag is installed as a service, so configuration set¬ 
tings that you set in DebugDiag will survive system reboots. The tool's 


analysis feature is fast, easy to use, and portable, so you can send the 
data to a manufacturer or in-house developer for further review and 
troubleshooting. DebugDiag requires less than 19MB of disk space. It 
runs on Windows Vista/XP/2000/NT and Windows Server 2003 but 
hasn't been tested on Windows Server 2008. 

DebugDiag in Action 

Let's look at how the Microsoft Global Escalation Services team 
used DebugDiag to handle a recent customer issue. The customer's 
website kept going down, and we suspected that the Microsoft 
World Wide Web server process might be crashing. So we installed 
DebugDiag and configured it to monitor specifically for crashes in 
the World Wide Web Publishing Service. 

After you install and start DebugDiag, you're immediately pre¬ 
sented with the Select Rule Type wizard dialog box, which lets you 
choose the appropriate rule to use, depending on what you want to 
monitor. In this example, we'll concentrate on process crashes, so if 
you suspect or have confirmed that a process crash is occurring, you 
should select the Crash rule type in the Select Rule Type dialog box, 
then click Next. 

Now you'll choose the type of process to monitor in the Select 
Target Type dialog box, such as a specific NT service, a specific pro¬ 
cess (e.g., an application process), or all IIS/COM+ related processes. 
For our customer support problem, we chose to monitor a specific 
service and selected the World Wide Web Publishing Service in the 
Select Target dialog box. 

In the wizard's next dialog box, Advanced Configuration 
(Optional), you can configure optional advanced settings for crash 
monitoring. In our case, we simply chose the defaults and clicked 
Next. You'll then see a dialog box showing the name of the rule and 
the path in which the user dump data will be stored; click Next to 
keep the defaults or make changes, such as changing the default 
directory where dump files are stored. 

You'll see the final dialog box, where you can either activate the 
rule now or manually activate it later. Then click Finish. Note that 
you might want to choose the activate later option if you aren't ready 
to monitor a process just then but want to complete the configura¬ 
tion steps ahead of time. 

Now you'll see the main DebugDiag application window, which 
has three tabs. Click the Rules tab to see the configured rules on that 
system, the rule name, the rule's status (active or not), and Userdump 
Count. Userdump Count is the number of process crashes for the 
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monitored process that DebugDiag cap¬ 
tured and stored in the path listed under the 
Userdump Path column. The Processes Tab 
displays the currently running processes on 
the system. 

Analyzing the Data 

After you've configured DebugDiag to mon¬ 
itor for a specific process, you can reboot 
the system and log off without worrying 
about disturbing the monitoring process. 
When you suspect the monitored process 


has crashed, you can check the DebugDiag 
application window and view the Userdump 
Count column to verify that a user dump file 
has been created. 

The Advanced Analysis tab, which Fig¬ 
ure 1 shows, is where you select which script 
you want to run to analyze the user dump 
data for a monitored process. We chose the 
Crash/Hang Analyzers script since we want 
to analyze a process crash. Next, you'll need 
to add a user dump file to analyze, by click¬ 
ing the Add Data Files button and navigating 


to the stored location of the captured user 
dumps. Highlight the appropriate .dmp file 
and click the Open button. You'll see that 
the dump file has been added; you're now 
ready to start the analysis. 

Click the Start Analysis button to execute 
the script you selected. DebugDiag will show 
the analysis progress. When the analysis is 
finished, DebugDiag automatically saves the 
analysis report in the DebugDiag\Reports 
folder and opens it in Internet Explorer. An 
analysis report has three main sections: 

• Analysis summary—an Event Viewer- 
type of message that records errors, 
warnings, and information relevant 
to the user dump analysis along with 
descriptions and recommendations for 
solving the problem shown by the error 
and warning information. 

• Analysis details—starts with a table of 
contents listing all the analyzed memory 
dumps. For each memory dump, there's 
a listing of report titles indicating the 
type of analysis performed. 

• Script summary—reports the status of 
the script that was run to analyze the 
user dump. If any errors occurred while 
the script ran, this section will list the 
error code, source, description, and lines 
that caused the errors. 

For the World Wide Web Publishing Service 
crash, we found the resolution in the analy¬ 
sis summary's Recommendation section, 
which provided a link to a Microsoft article 
that contained the fix for the problem, as 
Figure 2 shows. 

Closing in on a Solution 

Although DebugDiag probably won't resolve 
every Windows process problem, it will usu¬ 
ally provide data to move you closer to a 
solution. Sometimes you might get only the 
.dll name and manufacturer that caused 
the problem, but with such data you can 
search online for a solution or help your 
tech support person more quickly resolve 
the problem. ^ 

InstantDoc ID 100577 


MICHAEL MORALES (morales@micro 

soft.com ) is a senior escalation engineer for 
Microsoft's Global Escalation Services team. He 
specializes in advanced Windows debugging 
and performance-related issues. For information 
about Windows debugging, visit blogs.msdn 
.com/ntdebugging. 
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Virtualization is only 
half the battle for efficiency. 


InfraStru ure 


DATA CENTRES ON DEMAND 


i Ul 


Virtualization is here to stay. 

And it's no wonder - it saves space and energy while letting you maximize 
your IT resources. But smaller footprints can come at a cost. Virtualized servers, 
even at 50% capacity, require special attention to cooling, no matter their size 
or their location. 

1. Heat Server consolidation creates higher densities - and higher heat - per rack, 
risking downtime and failure. 

2. Inefficiency Perimeter cooling can't reach heat deep in the racks. And over¬ 
cooling is expensive and ineffective. 

3. Power Events Virtual loads move constantly, making it hard to predict available 
power and cooling, risking damage to your network. 

The right-sized way to virtualize. 

With the new HD-Ready InfraStruXure architecture, you can take on high-density 
by cooling the virtualized high-density row, controlling power at the rack level, and 
managing the system with advanced software and simulation. Though virtualizing 
saves energy, true efficiency also depends on the relative efficiencies of power, 
cooling, and servers. Right-sizing one and not the others (See Figure 1) leaves 
efficiency savings on the table. To right-size, depend on the efficient, modular 
HD-Ready InfraStruXure and neutralize heat at the source. Equipment will be safer 
and more efficient running closer to 100% capacity. 

Don't agonize, virtualize. 

What are you waiting for? With HD-Ready InfraStruXure architecture anyone can 
virtualize... anytime, anywhere. Just drop it in and go. 

Why do leading companies prefer InfraStruXure 6 to 1 over traditional 
data center designs? Find out at www.xcompatible.com 


Principles of InfraStruXure* 

High Density-Ready Architecture... 

1 Rack enclosures that are HD-Ready 

2 Metered PDUs at the rack level 

3 Temperature monitoring in the racks 

4 Centralized monitoring software (not shown) 

5 Operations software with predictive 
capacity management (not shown) 

6 Efficient InRow® cooling technology 

7 UPS power that is flexible and scalable 


You can deploy high-density racks right now.. 

Deploy InfraStruXure as the foundation of your entire 
data center or server room, or overlay 
into an existing large data center. 


SCHEMATIC LEGEND 

CRAC UNITS 

■ STANDARD DENSITY RACKS 
CENTRALIZED UPS 

■ INFRASTRUXURE HD-READY ZONES 
Figure 1 

Efficiency and Virtualization z 

Your servers are efficient, but is your power and cooling? ■ 


COOLING USAGE/CAPACITY 
SERVERS 

POWER USAGE/CAPACITY 


Big gains could be made with both server 
and power and cooling. 


Grossly oversized power and cooling cancels 
out potential gains made by virtualizing. 


Pre-Server Virtualization 

□ Correct Server Utilization 

□ Correct-sized Power 

□ Correct-sized Cooling 

Post-Server Virtualization 

[Zf Correct Server Utilization f" 

□ Correct-sized Power 

□ Correct-sized Cooling 

Server Virtualization with Power and Cooling 

Right-sized power and cooling tip the balance back in your favor. 

Ef Correct Server Utilization 
Correct-sized Power i—i 

Ef Correct-sized Cooling 


The following have been tested and work best with InfraStruXure Solutions. Go t o www.xcompatible.com t o learn more. 
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High-Efficiency, 
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Download a FREE copy of APC White Paper #126: 

"An Improved Architecture for High-Efficiency, High-Density Data Centers" 
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If knowledge is power, then managing it is genius. 


It's a simple fact: your system is only as good as the power that runs it. That's why 
smart power management is crucial. Enter the HP Insight Power Manager, which gives 
you the ability to control your power and cooling — from forecasting needs to monitoring 
consumption and lowering energy use. All with the reliability of ProLiant technology. 
So, while others try to think outside the box —we're rethinking what goes on inside it. 


Technology for better business outcomes. 






• Powered by the Intel® Xeon® Processor 

• Infrastructure-in-a-box saves you time, power 
and money by reducing repetitive parts and 
redundant operations 

• Improves efficiency by managing power 
and cooling as a resource 



HP ProLiant DL Servers 


• Powered by the Intel® Xeon® Processor 

• Affordable, modular rack systems to give 
your IT department the flexibility to expand 
with your business 

• Ideal for general-purpose solutions and 
high-performance computing 


To learn more, call 1-877-311-3620 or visit hp.com/servers/rethink49 


Intel, the Intel logo, Xeon and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries. 

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 
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■ Holiday HTA 


InstallWatch Keeps Track of 
Installation Changes 

A colleague, Gil Cintron, recently recom¬ 
mended that I try Epsilon Squared's 
InstallWatch.This free tool scans your PC 
before and after an application's installa¬ 
tion and shows you all the changes (e.g., 
registry key changes, file changes, version 
updates) that were made. When I asked 
Gil if he had an example of how Install¬ 
Watch made his job easier, he had this to 
say, "I worked in a lab where we tested ap¬ 
plications for approval to be included as 
part of the Navy's Integrated Shipboard 
Network System (ISNS) baseline. Before 
an application can be accepted, it has to 
meet compatibility and security require¬ 
ments. InstallWatch was one of the main 
tools we used to keep track of exactly 
what each program was trying to do with 
our systems. When dealing with defense 
and tactical systems, there isn't any room 
for guesswork. InstallWatch did a pretty 
good job of eliminating the guesswork." 

To test InstallWatch's functionality, I 
downloaded it from www.epsilon 
squared.com and installed it on my PC. As 
instructed, I used InstallWatch to take an 
initial scan of my PC. I then installed an ap¬ 
plication I had lying around. Finally, I used 
InstallWatch to take another scan. Both 
scans were extremely fast, even on my vir¬ 
tual machine. InstallWatch then produced 
a report showing which files and registry 
keys had been added, deleted, or modified. 
The InstallWatch reports are stored on the 
local hard drive and can be exported to an 
HTML or text file for later review. 

If you add InstallWatch to the Startup 
folder, it can run by itself in the back¬ 
ground. According to the tool's Help file, 
InstallWatch will monitor your system and 
make its presence known whenever an 
application begins an installation routine. 

I found InstallWatch to be extremely 
simple to use. It also 
works as promised. 
Great find, Gil! 

—Eric B. Rux, senior 
Windows administrator and 
cofounder o fWHSHelp.com 
InstantDoc ID 100463 



READER TO READER 


Happy Holidays HTA 

Once in awhile it's fun to do something a 
little different with scripting. For example, 

I created a HTML Application (HTA) that's a 
greeting card for the holiday season. Holi- 
dayTree.hta uses basic timers with random¬ 
ized colors to produce a colorful holiday 
tree with blinking multicolored lights and a 
Happy Holidays greeting (see Figure 1). You 
can find HolidayTree.hta in the 100488.zip 
file, which you can access by going to www 
.windowsitpro.com, entering 100488 in the 
InstantDoc ID box, clicking Go, then click¬ 
ing the Download the Code Here button. To 
"open"the card, simply double-click the 
HolidayTree.hta file. 

If desired, you can easily personalize the 
greeting and change the color of the tree 
lights and the background. To change the 
greeting, open the file in Notepad and find 
the code 

<p align="center"xb> 

<font size="7" color="#800000"> 
<span style="font-family: Brush 
Script MT"> Happy Hoiidays</span> 
</fontx/bx/p> 

Replace Happy Holidays with your 
greeting. 

To change the color of the tree lights or 
background, you need hexadecimal color 
codes. I included the AddColor.hta in the 
100488.zip file for this purpose. In the Add- 
Color.hta's Ul, click the Rainbow Chart 
button to create a red-green-blue (RGB) 
color chart in Microsoft Word. This chart 
consists of 180 different colored cells. Inside 
each cell is the RGB value that creates the 
color. After you find the color you want, you 
can convert the RGB number into the hex 
code in AddColor.hta. (If you'd like more 


information about AddColor.hta, see the 
VIP exclusive article "Add a Little Color to 
Your World" at windowsitpro.com/article/ 
articleid/47800/add-a-little-color-to- 

your-world.html .) 

After you have the hex codes for the 
colors you want to use, plug your hex color 
codes into HolidayTree.hta.The code 

<body bgcolor="#008080"> 

sets the background color. The code 

str = "#FF0000,#FFFF00,#FF00FF," & _ 
"#00FF00,#00FFFF,#0000FF,#ADFF2F" 
str = str & 

",#FF8C00,#FF1493,#FFCC00," & _ 
"#FFEFD5,#8B008B" 

sets the color of the tree lights. Happy 
holidays to you all! ^ 

—Jim Turner, domain administrator and applications 
developer, Computer Sciences Corp. 

InstantDoc ID 100488 



Figure 1: An HTA holiday card 
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■ ASK THE EXPERTS 


■ Security ■ Virtualization 


ANSWERS TO YOUR QUESTIONS 



Q: What is the Security Center 
Control Panel applet in Windows 
Vista and Windows XP SP2 used 
for? Is there a way to modify how 
Security Center notifies users of 
security-related problems? 

At Security Center is a Control Panel applet 
that Microsoft introduced in XP SP2 that 
provides a central configuration and man¬ 
agement interface for client-side security 
services. Security Center continuously 
monitors the status of client-side security 
services. In XP SP2, Security Center moni¬ 
tors Windows Firewall, virus protection, and 
Automatic Updates settings. Vista's Security 
Center also monitors Windows Defender, 
Microsoft Internet Explorer (IE) security, and 
User Account Control (UAC) 
settings. 

Behind Security Center is 
an engine that continuously 
monitors the configuration 
status of these security ser¬ 
vices and informs users of their 
status. Each service's status is 
checked against the preferred 
configuration settings that are 
specified in the Security Center 
configuration dialog box, which 
Figure 1 shows. For example, 
the Security Center verifies that 
Windows Firewall, Automatic 


Updates, and real-time virus scanning are 
enabled and that the virus protection signa¬ 
ture files are up-to-date. If Security Center 
finds that a service isn't operating as speci¬ 
fied in the Security Center configuration 
dialog box, it alerts the user by displaying a 
red icon in the user's taskbar or displays an 
alert message on the user's desktop. 

Users can modify the way Security Center 
notifies them of problems by clicking 
the Change the way Security Center alerts 
me link that's located in the left pane of 
the Security Center dialog box. From the 
resulting Windows Security Center dialog 
box, users can disable the Security Center 
notifications, enable only user taskbar 
notifications, or enable only notification 
messages on the user's desktop. 

Security Center is enabled by default 
on Vista and XP SP2 systems that aren't 
joined to a Windows domain. For domain- 
joined machines, administrators can 
enable and disable Security Center via the 
Turn on Security Center (Domain PCs only) 
Group Policy Object (GPO) setting that's 
located in the Computer ConfigurationX 
Administrative TemplatesXWindows Com- 
ponentsXSecurity Center GPO container.^ 

—Jan DeClercq 

InstantDocC ID 100194 
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Q: Should I install a System 
Center Data Protection Manager 
(DPM) 2007 agent on my guest 
OS virtual server? 

A: It depends on what you want to 
protect. If you install a DPM agent on 
the virtual server's main DPM 2007 
administrator console, you can protect 
only virtual machines (VMs)—you 
can't protect any applications run by 
the VMs. If you deploy the agent in the 
guest OS, you can protect everything 
the VM runs. For example, if the VM 
runs Microsoft SQL Server, you can 
protect the databases and capture the 
transaction log data. 

There are also licensing consider¬ 
ations. If you deploy the DPM agent in 
the guest OSs, they each need an agent 
license. 

This doesn't mean that protection 
at the virtual-server level is inconsis¬ 
tent. Virtual Server 2005 R2 SP1 has a 
recursive Volume Shadow Copy Service 
(VSS) writer, so when DPM 2007 asks 
the virtual server for a snapshot, the 
request is passed to all VM VSS writers 
and you get a consistent data backup. 

—John Savill 

InstantDocC ID 100193 
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COVER STORY 



We put the latest incarnations of Microsoft Hyper-V and 
VMware ESX Server to the test by Michael Otey 


E arlier this year, Windows IT Pro published my head-to- 
head comparison of Microsoft's Hyper-V virtualization 
platform and VMware's market-leading ESX Server. (See 
the Learning Path, page _23.) In that two-part series, I 
compared the feature sets, licensing, and performance 
of both products. I found ESX Server to have a notably 
better installation and management story, as well as a slight perfor¬ 
mance edge. However, for a pre-release product, Hyper-V fared well 
and proved itself to be a viable virtualization platform. 

Since that first round of reviews, much has changed in the virtu¬ 
alization market. First, the RTM version of Hyper-V is now available: 
Microsoft has made its final performance enhancements to the 
product. Second, Microsoft has released a standalone version of 
Hyper-V called Hyper-V Server 2008. For more information about 
this incarnation, see the web-exclusive sidebar "The Standalone 
Hyper-V Server 2008" (www.windowsitpro.com, InstantDoc ID 
100574). Third, both companies have altered the licensing for their 
respective products. Hyper-V Server 2008 and VMware ESXi are free 
downloads. For more information about VMware ESXi, see the web- 
exclusive sidebar "ESXi vs. ESX Server" (InstantDoc ID 100575) . 

Considering these changes, I've decided to retest these products' 
management and performance aspects, as well as address some 
particular concerns about each product that readers—and Microsoft 
and VMware representatives—have brought up since my first tests. 
Now, let's jump back into the ring with ESX Server and Hyper-V. 


Hypervisor Differentiation 


the hypervisor itself—a method that results in a comparatively large 
hypervisor. This approach also adds third-party code to the hypervi¬ 
sor. VMware tests and certifies these drivers, but they're developed 
by system hardware vendors. (For a list of systems that support ESX 
Server 3.5 and ESXi, see the Learning Path.) Hyper-V implements the 
drivers in the parent partition, outside the hypervisor. Table 1, page 
22, provides the pros and cons of each approach. 

The implementations of the hypervisor itself also differ. The ESX 
Server hypervisor uses a 32-bit kernel, allowing it to run on both 
32-bit and 64-bit systems. However, that doesn't limit it to running 
only 32-bit guests; ESX Server also supports 64-bit guests if it's run¬ 
ning on a 64-bit hardware platform. With its next ESX Server release, 
VMware plans to move to a 64-bit hypervisor. By contrast, Hyper-V 
already uses a 64-bit hypervisor, which promises improved perfor¬ 
mance and scalability. Also, Hyper-V requires that the system you 
install it on possess processor-assisted virtualization (e.g., AMD pro¬ 
cessors that support AMD-V, Intel processors that support Intel-VT). 
Hyper-V requires that the processor have either AMD's No Execute 
(NX) or Intel's Execute Disable (XD) features, and the system needs 
to offer BIOS support for virtualization. These features are standard 
in most of today's server systems, but they aren't in all systems. 

Guest Support 

To some extent, the differences between the products' hypervisor 
implementations are academic. Both products have proven to be 
good performers and scale well with multiple workloads. However, 
the difference in guest OS support is much clearer. In this respect, 


Both ESX Server and Hyper-V are hypervisor-based, 
but not all hypervisors are created equal. The architec¬ 
tures of these products differ significantly. And many 
IT pros have been confused by Hyper-V mistakenly 
assuming that because it's shipped with Windows 
Server 2008, it's a hosted virtualization product that 
runs on top of the Server 2008 OS. That's not the 
case. Like ESX Server, hypervisor-based Hyper-V runs 
directly on the system hardware. 

Figure 1 provides an architecture comparison. As 
you can see, one of the biggest differences between 
the products is the way each handles hardware device 
drivers. ESX Server implements the drivers as a part of 
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Figure 1: Comparing the Hyper-V and ESX Server architectures 
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ESX Server is a much more mature product: 
VMware supports a wide array of guest OSs. 
Web Table 1 (InstantDoc ID 100573) provides 
a list of guest OSs that ESX Server supports. 
(For a complete list of the guest OSs that the 
product supports, see the Learning Path.) 

As you might expect, the list of guest 
OSs that Hyper-V supports includes all the 
recent Microsoft OSs but few others. Web 
Table 2 provides a list of guest OSs that 
Hyper-V supports. (For a complete list of 
the guest OSs that the product supports, 
see the Learning Path.) The list of OSs that 
Hyper-V supports is dominated by Microsoft, 
with the exception of SUSE Linux—but this 
Linux implementation is limited to a single 
virtual CPU, far short of the Linux support 
that ESX Server offers. Microsoft marketing 
states that Hyper-V runs other OSs, such as 
multiple Linux distributions, but actually 
Hyper-V doesn't support any distribution 
other than SUSE, for which Microsoft has an 
agreement with Novell. Microsoft has made 
the code for the Linux Hyper-V integration 
components available but has left its adop¬ 
tion to other vendors—a significant develop¬ 
ment because the VMBus-aware drivers that 
provide the best Hyper-V performance are 
installed as a part of the integration compo¬ 
nents. Without them, the guest must run in 
slower legacy-emulation mode. Currently, 
no integration components are available 
for other Linux implementations, but you 
can run other Linux distributions as unsup¬ 
ported legacy guests. 

Built-In Management 

This review is focused solely on the vir¬ 
tualization platforms themselves, and I 
won't touch on the management suites that 
either vendor provides as separate products. 
The distinction can be confusing: Many 
VMware-supporting readers have opined 
that VMware's VMotion is the single biggest 
difference between the products; however, 
although VMotion is an important feature, 
it's not a part of ESX Server but rather a 
component of the VMware Infrastructure 
3 (VI3) management suite. A forthcoming 
Windows IT Pro article will compare VI3 
and Microsoft's management suite, System 
Center Virtual Machine Manager (SCVMM). 
Let's take a look at the products' inherent 
management functionality. 

ESX Server. You use the Virtual Infra¬ 
structure Client to manage ESX Server. To 


Table 1: Pros and Cons of ESX Server and Hyper-V's Driver Implementation 

Hypervisor Architecture 

| Pros 

| Cons 

VMware's Approach 
(Drivers in Hypervisor) 

Better control of resources 
used by device drivers 

Third-party code in hypervisor 


Drivers optimized and 
tested for virtualization 

Larger hypervisor 


All VMs operate 
independently 

Smaller range of supported 
hardware 

Microsoft's Approach 
(Drivers in Parent Partition) 

No third-party code in the 
hypervisor 

Uses standard device drivers 


Smaller hypervisor 

Failure in the parent partition 
could affect all VMs 

Wide range of supported 
devices 



download the client 
to your local system, 
you simply point 
your web browser to 
your ESX Server sys¬ 
tem, then click the 
Download VMware 
Infrastruture Client 
link. The entire pro¬ 
cess takes a couple 
minutes. The Vir¬ 
tual Infrastructure 
Client offers a full- 
featured, functional 
interface for managing multiple VMware 
virtual machines (VMs) for one ESX Server 
host. You can create and control VMs, and 
you can control a number of host settings, 
such as the configuration of virtual switches, 
the host time, the DNS server, and VMs' 
automatic start and stop actions. Also, you 
can use the Virtual Infrastructure Client to 
set up users and groups, along with their 
associated permissions. 

The most noticeable missing feature is 
the ability to easily copy VMs among hosts. 
There's no built-in Windows Explorer, and 
no connections to remote hosts. However, 
free third-party tools such as Veeam (www 
.veeam.com ) and WinSCP (www.winscp 
.net) can fill this gap. One of the best features 
of the client is its ability to track perfor¬ 
mance data at both the host and the VM 
level. It provides a storage summary, as well 
as CPU, memory, network, and disk usage. 
Figure 2 shows the Virtual Infrastructure 
Client's Performance tab. 

Although the Virtual Infrastructure Cli¬ 
ent provides a good management interface 
in the absence of the VT3 management suite, 
it's limited. For example, it doesn't provide 


the ability to import and convert VMs, as 
the other VMware virtualization products 
do. And it doesn't let you copy or clone VMs. 
These options are present only if VI3 and 
VirtualCenter Server are available. Finally, 
I've found that I often need to drop back into 
the Linux management console to perform 
many tasks. For example, if I copy a VM to 
ESX Server, I don't get a graphical option to 
register the VM—I need to use the Vmware- 
cmd command. 

Hyper-V. In the arena of management, 
Hyper-V stumbles. Management for Hyper-V 
with a full Server 2008 installation is a good 
experience: When you install the Hyper-V 
role, the Hyper-V Manager is present and you 
can use it from the full Server 2008 installa¬ 
tion to manage Hyper-V Such is not the case 
for the Server Core version. Server Core has 
no built-in GUI and requires remote man¬ 
agement. However, unlike ESX Server, the 
remote client is a separate download, and 
I had difficulty getting it connected. I used 
Server 2008 and a Vista client. I first tried it 
in a workgroup, then in a domain. Although 
it eventually worked, it wasn't a good expe¬ 
rience—certainly not on par with the easy 
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steps aren't documented with the product; 
you need to search Microsoft's blogs to find 
them. This situation represents a big hurdle 
to running Hyper-V on Server Core—partic¬ 
ularly for SMBs looking to get started with 
virtualization. Until this problem is resolved, 
if you want to run Hyper-Y I'd go with the full 
Hyper-V and Server 2008 installation. 

Personally, I'm surprised Microsoft 
didn't do a better job with this aspect. After 
all, running Hyper-V on Server Core lets 
you have less overhead and a more secure 
implementation. Plus, VMware has already 
shown how to do it correctly. All that being 
said, using the full Server 2008 installation 
has little effect on performance but makes 
the management of Hyper-V much easier. 

The Hyper-V Manager provides a basic 
management interface that lets you manage 
a VM on one or more Hyper-V servers. You 
can create VMs and control them, create 
VLANs through the new virtual switching 
feature, set up automatic VM start and stop 
attributes, and set VM resource allocations. 
The Hyper-V Manager is functional but 
doesn't provide any of the advanced features 
(e.g., performance monitoring) that the Vir¬ 
tual Infrastructure Client provides. Figure 
3 shows the Hyper-V Manager's Resource 
Allocation dialog box. Web Table 3 provides 
a summary of the management features that 
each product provides. 

Performance Testing 

I ran two sets of tests on an HP ProLiant 
ML370 G4, with two Intel quad-core Xeon 
processors running 
at 1.86GHz on a 
1066MHz frontside 
bus. The system 
comes with 8GB 
of RAM and eight 
72GB 15,000rpm 
drives configured 
as a RAID array. My 
tests in the previous 
articles were based 
on timed Windows 
Shell scripts. For this 
set of follow-up tests, 
I converted my test 
scripts to PowerShell, 
which enabled bet¬ 
ter program control 
as well as the ability 

Figure 3: Hyper-V Manager to use ADO.NET as 
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"A First Look at Windows Server 2008 Hyper-V," 
InstantDoc I D 97857 

"A Long, Hard Look at Hyper-V," InstantDoc ID 100437 
"Hyper-V FAQs,"InstantDoc I D 99440 
"Virtualization Shootout, Part 2," InstantDoc I D 99248 
"Virtualization Shootout, Part 1," InstantDoc I D 98879 

OTHER RESOURCES 

Systems Compatibility Guide for ESX Server 3.5 and 
ESX Server 3i 

www.vmware.com/pdf/vi35_systems_quide.pdf 

VMware Guest Operating System Installation Guide 
www.vmware.com/pdf/GuestOS_quide.pdf 

Virtualization with Hyper-V: Supported Guest 
Operating Systems 

www.microsoft.com/windowsserver2008/en/us/ 
hyperv-supported-guest-os.aspx 


Virtual Infrastructure Client installation and 
connection. During my first round of testing, 
I attributed the difficulty to Hyper-V's pre¬ 
release code. Unfortunately, I was dismayed 
to find that the problem remains unresolved 
in the final release version. 

The core of the problem seems to be 
that the Hyper-V Manager doesn't provide 
a mechanism for passing authentication 
information to the Hyper-V host. This omis¬ 
sion requires you to embark on a painstaking 
multistep manual process to configure the 
client—and the server—that you want to 
use. You have to repeat the process for all 
the clients that you want to use to remotely 
manage Hyper-V Adding insult to injury, the 


my SQL Server data-access mechanism. 

The first set. First, I repeated the set of 
tests that I ran in the original articles. During 
those first tests, Hyper-V was in a pre-release 
state. For the final version, Microsoft has 
added some performance tweaks to the re¬ 
lease code. To simulate a production server- 
consolidation scenario, I set up eight VMs 
on the host (each configured with 512MB of 
RAM) and I used the default settings for new 
virtual hard drive configuration. I used exter¬ 
nal networking, which linked the VMs' virtual 
network adaptors to the host. For this first 
round of tests, all the VMs were configured 
with the 64-bit Server 2008 Enterprise Edi¬ 
tion. For the Hyper-V portion of the tests, the 
integration components were loaded onto all 
the guests. And yes, the Hyper-V VMs were all 
using the high-performance VMBus device 
drivers. For the ESX Server tests, the VMware 
Tools were installed. 

To create a mixed workload, I configured 
six of the VMs to function as file servers and 
two as database servers running Microsoft 
SQL Server 2005 Enterprise Edition SP2. 
To test the file-server performance, I used 
a routine that copied a set of 10 files (total¬ 
ing about 130MB) from the file server to the 
local client's hard disk. Then, the routine 
copied the files back to another directory 
on the server and deleted them. I used a 
three-second think time between all the 
operations. This routine repeated 20 times. 

To test the SQL Server workload, I used 
27 queries running against the sample 
AdventureWorks database. Although the 
bulk of the workload was data retrieval, 
the batch also contained a couple CPU¬ 
intensive queries, a 5,000-row insert func¬ 
tion, and four SELECT INTO statements to 
add some data-modification operations. I 
inserted a three-second think time between 
each database interaction. 

As you can see in Figure 4, page 24, ESX 
Server and Hyper-V provided similar per¬ 
formance under these test conditions. The 
bars in the graph indicate the total average 
time to complete the test suite. ESX Server 
demonstrated a 4 percent edge over Hyper- 
V in the test's file-server portion. However, 
Hyper-V beat ESX Server in the database 
testing by 1 percent. The combined results 
were the totals for both the file-server and 
database tests. This set of tests ran for about 
20 minutes. Overall, ESX Server won the 
combined results by providing 3 percent 
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Figure 5: Performance Testing Round 2 

better performance than Hyper-V Although 
ESX Server finished the test suites faster than 
Hyper-V, the 3 percent difference is small. 

The second set. One reader comment 
about my first round of testing was that Server 
2008 is optimized to run under Hyper-V and 
that other OSs might not deliver the same 
levels of performance. Microsoft confirmed 
this optimization and explained that certain 
guest OSs (e.g., Server 2008) are considered 
enlightened. Further, there are two types of 
guest enlightenment. The first is a basic level 
of driver enlightenment , which means that 
the guest OS can take advantage of Hyper-V's 
high-performance VMBus architecture. Vista 
and Server 2008 possess a second level of 
enlightenment called kernel enlightenment. 
Kernel enlightenments improve processor 
and memory performance to further opti¬ 
mize the guest OS for running in a VM. For 
more information about the Hyper-V archi¬ 
tecture, see the Learning Path. 

To determine whether Server 2008 
offered any advantages while running under 
Hyper-V, I re-ran a second set of tests, 
following the same pattern as the tests 


in the first set. However, 
the second test set used 
32-bit Windows Server 
2003 Enterprise Edition 
SP2 as the guest OS for all 
the VMs. Again, for Hyper- 
V, the integration compo¬ 
nents were loaded and 
the VMs were using the 
VMBus drivers. For ESX 
Server, the VMware Tools 
were installed. 

As you can see in Fig¬ 
ure 5, the results were 
even closer than the 
first set of tests. In a sur¬ 
prise turnabout, Hyper-V 
posted a 1 percent edge 
over ESX Server in the file- 
server portion of the tests, 
whereas ESX Server posted 
a 2 percent advantage over 
Hyper-V in the database 
tests. Overall, ESX Server 
held a slight 1 percent 
edge in the combined per¬ 
formance results. Consid¬ 
ering that the results with 
Windows 2003 were even 
closer than the results with 
Server 2008, it's fair to conclude that under 
these test conditions, Server 2008 showed no 
significant performance benefit by running 
under Hyper-V as opposed to ESX Server. 

At this scalability level, ESX Server had a 
slight lead in both the 64-bit and 32-bit tests, 
but it's clear that both virtualization plat¬ 
forms deliver close levels of performance. 
That said, ESX Server's support for larger 
system configurations enable it to have 
greater overall scalability than Hyper-V 

Virtual Reality Check 

Both products deliver excellent virtualiza¬ 
tion performance, but Hyper-V is hamstrung 
by substandard remote management and 
limited support for non-Microsoft guest 
OSs. VMware's superior remote manage¬ 
ment and broader guest support character¬ 
ize the more mature ESX Server. 

At this point, for midsized-to-large busi¬ 
ness and enterprises, the more manageable 
ESX Server is the better choice, particularly 
if you want to support a mix of Windows 
and Linux guests. Remote management for 
Hyper-V is still too problematic. However, 
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Hyper-V is a good choice for smaller busi¬ 
nesses running Server 2008 that primarily 
want to virtualize Windows servers. The 
product's inclusion with Windows makes 
it simpler to use and adopt: You don't need 
to learn the unfamiliar commands neces¬ 
sary to deal with ESX Server's Linux-based 
management console. However, because of 
the aforementioned remote-management 
difficulties, I can't recommend Hyper-V on 
Server Core at this time. That being said, 
running Hyper-V on a full Server 2008 instal¬ 
lation works well. 

Virtualization is fast becoming an impor¬ 
tant business commodity, with both Micro¬ 
soft and VMware essentially providing free 
virtualization products. However, raw vir¬ 
tualization is only half the story. The other 
half is management—which is where both 
vendors are looking to make their money. 
VMware's VI3 management suite has a 
big head start in this area, but Microsoft's 
SCVMM, with its ties to the System Center 
family of products, offers unique advan¬ 
tages. An upcoming issue of Windows IT 
Pro will compare Microsoft's and VMware's 
virtualization-management suites. ^ 
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Using WDS with 

WINDOWS 
SERVER 2008 


W indows Deployment Services (WDS) is Microsoft's newest image deployment prod¬ 
uct, designed to deploy Windows Vista and Windows Server 2008. (WDS also sup¬ 
ports Windows XP and Windows Server 2003, but you'll need to do a fair amount 
of tweaking.) You could call WDS the new Remote Installation Service (RIS). But 
wait—even if you took a look at RIS and went directly back to other imaging tech¬ 
nologies, take a good look at WDS—it's worth it. WDS is more streamlined and 
easier to use than RIS ever dreamed of being. This article is a step-by-step guide for you to get WDS up 
and running in your environment in less than an hour. 



Installing and Configuring WDS 

First let's look at how WDS works. Clients receive IP information from a DHCP server during the boot 
sequence. Next, the WDS client finds the WDS server via broadcasting or DHCP, then connects to the 
WDS server and boots a special boot image called a Windows Preinstallation Environment (WinPE). 
Finally an OS image stored on the WDS server is installed on the client. 

The WDS role ships with Server 2008 and requires three additional roles: DNS to find domain control¬ 
lers (DCs); Active Directory (AD), either 2003 or 2008, for authentication; and DHCP for IP address infor¬ 
mation and options such as the IP address of the WDS 
server. The server on which you install WDS must be an 
AD member. AH four roles (AD, DNS, DHCP, and WDS) 
can be installed on the same server, or you can separate 
the roles. 

To install WDS on Server 2008, open Server Manager, 
highlight Roles, then click Add Roles (top right corner). 

The Add Roles Wizard launches and displays the Before 
You Begin page. Click Next. From the list of roles dis¬ 
played, scroll down and select Windows Deployment 
Services. Click Next three times, accepting the defaults 
on each page (Overview of WDS, Select Role Services, 

Confirm Installation Selections). Click the Install button. 

When the installation is complete, click Close and you're 
ready to configure your new WDS server—no reboot 
needed. 

Configure WDS by opening the WDS snap-in found 
under Start, Administrative Tools, Windows Deploy¬ 
ment Services, or in Server Manager. (Although you 
might need to close and reopen Server Manager to see 
the new snap-in.) Expand Servers; there should be a 
yellow yield sign next to your server's name. Right-click 
your server name and choose Configure Server. The 
Welcome Page lists WDS's requirements; click Next. 
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page, clear the Add images 
to the Windows Deploy¬ 
ment Server now check box 
(because you have no image 
to add yet) and click Finish. 

Adding an Image 

There are two types of Win¬ 
dows Imaging Format (.wim) 
images you can add to WDS 
servers: boot and OS images. 
First I'll show you howto add 
a boot image. After we create 
an OS image, I'll explain how 
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Figure 1: Running the Sysprep tool 


On the Remote Installation Folder Location 
page, choose the drive on which you want 
to store your images and click Next. The 
drive you store the images on should be 
dedicated to image storage because of the 
amount of space that will be needed. The 
next page to be displayed is determined 
by whether DHCP is installed on the WDS 
server or not. If (and only if) DHCP is 
installed on the same server as WDS, you'll 
get the DHCP Option 60 page. To learn more 
about DHCP Option 60 and the relationship 
between DHCP and WDS, see the web- 
exclusive sidebar "Configuring DHCP and 
WPS, " www.windowsitpro.com, InstantDoc 
ID 100440. 

The next page, PXE Server Initial Set¬ 
ting, lets you set whether you want the WDS 
server to respond to Preboot Execution 
Environment (PXE) client requests, and if 
so, how. You'll see four options: 

1. Do not respond to any client com¬ 
puter. This turns off WDS responses. 

2. Respond only to known client com¬ 
puters. WDS will respond to clients that 
have been pre-staged in AD. Pre-staging is 
done in Active Directory Users and Com¬ 
puters just as it was done in RIS. 

3. Respond to all (known and 
unknown) client computers. By itself, this 
option would cause WDS to respond to 
all PXE requests; if you select this option 
and also select option 4, your setup is a bit 
more secure. 

4. For unknown clients, notify admin¬ 
istrator and respond after approval. This 
option allows pre-staged machines to 
receive a response from the WDS server, 
but unknown clients would remain on 
the PXE boot screen until an administra¬ 
tor has approved the request within the 
WDS snap-in. To approve a request from 
an unknown client, you would open the 
WDS snap-in, expand Servers, and high¬ 
light Pending Devices. In the results pane, 
you'll see a pending request. Right-click 
the pending request and choose either 
Approve, Reject, or Approve and Name. 

The first two choices are straightforward; 
the third option approves the request and 
names the computer object that will be 
created in Active Directory Users and Com¬ 
puters. 

Select the appropriate option, and click 
Finish. On the Configuration Complete 


Figure 2: Creating a boot image 

to add that image to the WDS server. 

Before you can add a boot image, you 
need to create one using the Windows Auto¬ 
mated Installation Kit (WAIK) 1.1. The WAIK 
is a free download from Microsoft that you 
install on the WDS server. After installation, 
click Start, All Programs, Microsoft Windows 
AIK, Windows PE Tools Command Prompt. 
(If you try to run this command in a normal 
command prompt, you'll get the error mes¬ 
sage Imagex is not recognized as an internal 
or external command, operable program or 
batch file.) If you're installing a 32-bit OS, 
you'll need a 32-bit boot image; for a 64-bit 
OS, a 64-bit boot image. To create a 32-bit 
boot image from the PE Tools Command 
Prompt, type: 

copype x86 c:\winpe_32 

To create a 64-bit boot image, type 

copype x64 c:\winpe_64 

You can find help for creating a custom 
boot image or WinPE in Mark Minasi's Win¬ 
dows Tech Support newsletter (www.minasi 
.com), issue 59, and in the Microsoft article 
"Creating Images" (technet.microsoft.com/ 
en-us/library/cc73Q9Q7.aspx#BKMK_2) . 

To add the new boot image to your WDS 
server, open the WDS snap-in and expand 
the Servers node, then expand your server. 
Right-click Boot Images and choose Add 
Boot Image. On the Image File page, browse 


to C:\winpe, select winpe.wim, and click 
Next. On the Image Metadata page, give the 
image a name and description, then click 
Next. For this example, I named mine "Cre¬ 
ate Image." You can review your settings on 
the Summary page. If they are OK, click Next. 
When the task progress bar shows Operation 
Complete, click Finish. Your new boot image 
should be listed in the results pane. Next, 
you need to add a second boot image, which 
you'll find on the Vista (or Server 2008) DVD 
in the Sources folder. Follow the above steps 
to add the boot image, but this time browse 
to the Vista DVD \Sources folder, select boot 
.wim, and name it "Deploy Image." You're 
not ready to boot the image yet, but you'll 
need it for the next section. 

Creating a New OS Image Using 
WDSCapture 

To create your OS image, you'll need a 
baremetal machine. Install an OS (Vista, 
Server 2008, XP, or Windows Server 2003 
are supported, but this article is specific to 
Vista and Server 2008), and configure it as 
you wish. Now, you're ready to use Sysprep 
to prepare the machine, which removes all 
the uniquely identifying information, such 
as computer name and IP information. To 
run Sysprep, click Start and choose Run. 
In the Run box, type sysprep. Double-click 
sysprep.exe when it appears in the results 
pane. In the Sysprep dialog box, select the 
Generalize check box and choose Shutdown 
in the Shutdown Options drop-down menu, 
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Figure 3: Capturing the OS image to deploy 


as Figure 1 shows. Click OK. When Sysprep 
completes, the computer will shut down. 

Next you'll need to perform a network 
boot (aka PXE boot) on the Sysprepped 
machine. Restart the computer and get 
ready to perform a network boot—this hap¬ 
pens really fast. Some machines make you 
press FI2, some F2, and others have a spe¬ 
cial key you press for a network boot. If you 
don't get the option to perform a network 
boot, you might need to change the system 
BIOS to include the option to do a network 
boot (Editing a system's BIOS is different for 
each type of computer so you might need to 
do some research for the type of computer 
you're working on.) The screen will remain 
black while the machine is getting an IP 
address from a DHCP server. You'll then be 
prompted to "Press F12 for Network Service 
Boot." 

Select Create Image from the boot image 
choices that you added to the WDS server. 
Once the Create Image has booted, you 
will see a screen similar to the one Figure 2 
shows. At the X:\windows\system32> com¬ 


mand prompt, type 
Wdscapture 


The Welcome to the 
Windows Deployment 
Services Image Cap¬ 
ture Wizard screen 
will appear. Click Next. 

On the Image Capture 
Source page, choose 
the volume to capture 
from the drop-down list 
of available volumes. If 
the C: volume does not 
appear, then Sysprep 
wasn't performed cor¬ 
rectly. This is a common 
mistake; it's easy to for¬ 
get to put a check mark in Sysprep's Gen¬ 
eralize box. If no drive letters are displayed 
in the drop-down box, you'll need to boot 
the machine, answer the questions asked 
by Sysprep's mini-setup wizard, and run 
Sysprep again. After choosing the volume 


to capture, give the new image a name and 
description as Figure 3 shows. Click Next. 

On the Image Capture Destination page, 
shown in Figure 4, page 30, browse for the 
folder in which to store the image (must 
be on a local drive). Enter the name of the 
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image to be created and click Save. You 
have no choice here—you must save 
the image locally. Select Upload image 
to WDS server. Type the IP address of 
the WDS server. (You can use the name 
of the WDS server, but name resolution 
issues can cause the connection to the 
server to fail. The IP address is more 
reliable.) 

You'll be prompted to enter cre¬ 
dentials to authenticate to the WDS 
server. Type the username and pass¬ 
word and click OK. When the authen¬ 
tication completes, you'll see a list of 
image groups in the Image Group 
name drop-down menu. Select 
the image group in which you 
want to store your new image, 
as Figure 5 shows, and click Fin¬ 
ish. The image will appear in the 
results pane in the WDS snap- 
in under Install Images and the 
Image group you choose. 

Image groups reduce the 
amount of storage space needed 
for your images. Think of it like 
this: You add the first Server 2008 
Enterprise OS image to an image 
group named Ent08. When you 
add the second Server 2008 Enter¬ 
prise OS image (with different 
applications from the first) to the 
Ent08 image group, single instanc¬ 
ing wakes up and checks each file 
before storing it. If a file already 
exists in the image group, the file 
itself is not stored again, but a 
pointer to the one and only file is 
created. 


Multicast Transmissions 

Images can be rather large—often 
too large to fit inside a single data 
packet to cross the network wire. 
Therefore, the image is sent across 
the network in many data pack¬ 
ets. Multicast transmissions are 
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Figure 4: Storing the OS image 



Figure 5: Uploading OS image to the WDS server 
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Figure 6: Creating a multicast transmission 


new with Server 2008. Earlier versions had 
unicast transmissions only. What's the dif¬ 
ference? Let's look. 

Let's say two clients are requesting the 
same image from a WDS server. The image 
is broken down at the packet level and sent 
across the network. The server sends packet 
1 of the image to client 1, then sends the 
same packet to client 2, and so on until the 


entire image is deployed. 

Imagine the workload that would be 
placed on the WDS server if there were 100 
clients requesting the same image—packet 
1 would be sent 100 times. With multicast¬ 
ing, when both clients request the same 
image, the WDS server sends packet 1 to all 
clients that are listening for it, then sends 
packet 2, packet 3, and so on. The work¬ 


load on the WDS server is greatly 
reduced because each packet is 
sent only once. But (and here's 
the bad news), multicast transmis¬ 
sion is similar to broadcast traffic 
in that each packet is sent to a 
specific multicast IP address, so all 
machines will need to look at the 
packet to determine whether it's 
addressed to that client. 

To create a multicast transmis¬ 
sion, in the WDS snap-in, right- 
click the Multicast Transmissions 
node, and choose Create Multi¬ 
cast Transmissions. On the 
Transmissions Name page, 
type a friendly name and 
click Next. On the Select 
Image page, choose your 
image group from the Select 
the image group that con¬ 
tains the image drop-down 
list provided. Then, choose 
your image from the Select 
the image list and click Next. 

The Multicast Type page, 
which Figure 6 shows, lets 
you turn on multicast for 
a specific image by select¬ 
ing Auto-Cast. Auto-Cast 
uses new multicast technol¬ 
ogy that lets a client join 
the multicast transmission 
in midstream. For example, 
if 20 clients have already 
received packet 1624 and a 
new client joins, the new 
client would receive packet 
1624 first and all subsequent 
packets until the image has 
been sent entirely. Then the 
client would ask the WDS 
server to start over again 
with packet 1. 

The Scheduled-Cast 
option lets you schedule a 
transmission for when mul¬ 
ticasting will be available. Scheduled-Cast 
requires that all clients be ready at the same 
time because the WDS server won't restart 
from packet 1 after it finishes sending the 
image. You have two scheduling options: 
Schedule when x number of clients have 
requested an image (where x is specified by 
you), or schedule the date and time when 
multicast will start. After choosing the start 
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criteria for the transmission, click Next. You 
have successfully created a multicast trans¬ 
mission when you see the Task Complete! 
message. Click Finish. 

One important note about multicast 
transmissions: They are available only if the 
WinPE you boot the clients with is the boot 
.wim file from the Server 2008 DVD/Sources 
folder. The version that ships with Vista 
doesn't provide multicast functionality. 

Deploying the Image 

To deploy an image, perform a network 
boot on the client. (FI2 will perform a net¬ 
work boot.) Choose the boot image named 
Deploy Image (this is the boot.wim image 
you added from either the Vista or Server 
2008 DVD/Sources folder). The Windows 
Deployment Services Wizard launchs auto¬ 
matically. Select the language and input 
method (e.g., keyboard), and click Next. In 
the authentication dialog box, enter your 
DomainNameYUsername. For example, to 
authenticate as Administrator in the Bigfirm 
domain, type 


Bigfirm\Administrator 

You can also use a user principal name 
(UPN) by typing Administrator@Bigfirm 
.com. Provide a password and click OK. 
From the list of OS images displayed, 
select the image to deploy and click Next. 
The Where do you want to install Windows 
page lets you create and format a partition. 
Choose Drive options, New, and type the 
size (in MB) of your first partition. Click 
Apply. Then select Format, click OK, and 
click Next. The Installing Windows screen 
opens and displays the phases of the instal¬ 
lation and which one is currently being 
processed. 

Once the installation is complete, Sys- 
prep's mini-setup wizard will prompt you 
for information such as administrative 
username and password, computer name, 
time zone, and a few other things. When 
you complete this last wizard, your image 
deployment is complete. You can auto¬ 
mate the beginning and ending of your 
image deployment process so that you 


don't have to choose the size of the first 
partition and file system used to format 
it or answer Sysprep's mini setup wizard 
questions at the end by creating answer 
files. You can find instructions and a list 
of settings and values in the "Unattended 
Windows Setup Reference" Help file that 
ships as part of WAIK. 

Just Try It 

I hope that armed with this guidance, you'll 
be able to install, configure, and tweak 
WDS to fit your environment. Don't let the 
reputation of its predecessor deter you from 
taking a serious look at WDS. I think you'll 
be pleasantly surprised. And one thing is for 
sure—the price is right! ^ 
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Your Infrastructure 


By Mel Beckman 


You know what IT infrastructure is: the applications, servers, storage, and networks 
that comprise your enterprise information ecosystem, plus the duct tape that holds 
it all together. It's growing, both in size and cost. Virtualization promises to help you 
cope with the growth. Here's a 10-step road map to moving your infrastructure to 
the Big V. 

1. Plan a Little 

Don't click that "Place Order" button for VMware just yet. V in "virtualization" stands 
for Vast, which is what the landscape of virtualization opportunities is. There's server 
virtualization, application virtualization, storage virtualization, desktop virtualization, 
even virtualization virtualization. Spend some time getting the lay of the land. An 
excellent starting point is the Virtualization Wikipedia entry: http://en.wikipedia.org/ 
wiki/Virtualization. Weigh and rank the possibilities before investing any hands-on 
time in technologies V. Don't make a doctoral thesis out of the effort, though. There's 
fun to be had. 


2. Play a Little 

Virtualization technology is exciting stuff-but don't tell management! Fortunately, it 
costs nothing to experiment; vendors are positively throwing free V products at you. 
Start with VMware's free trial Workstation Edition; it's drop-dead simple. Next move 
on to the free VMware Server edition, and give Microsoft's utterly free stand-alone 
Hyper-V a whirl. Play with Sun's free Virtual Box. Just to see how much you don't yet 
know, try to run free open source software Xen. Ha ha! You're not so smart! 


3. Build a V Lab 

It's time to spend some money. How you get it is your business. You need three or 
four multi-core servers packed with RAM and a couple of 24-port VLAN-capable 
gigabit Ethernet switches. I saw some on the loading dock. Lash 'em up to create 
your personal virtualization test bed. Cram it into a corner of your office: your V Lab. 
Now you're cooking. You can install all manner of V platforms and products, gaining 
wisdom as a V Guru. 

4. Roll out a virtual appliance 

Management suspects something is up, due to the elevated temperature in your 
office. Time to show some results. That's easy to do with virtual appliances. You 
need but one. Check out vm ware.com/appliances/ and rpath.com. Perhaps you could 
measure and chart network performance. The Cacti network monitor VA is perfect. Or 
a spanking new AJAX-enabled CRM system might be even more impressive. Get your 
appliance up and running, then wait few days (Scotty's Motto: manage expectations). 
Unveil. Bask. 
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5. Migrate an Existing Application 

So far you haven't broken a sweat, at least not from effort. The next task, however, 
could be somewhat taxing, so choose carefully. Select an existing application-one 
spread across two or three physical servers-and migrate it; yes, migrate it, to virtual 
machines. Database on one, web on another, third thing on the third, etc. Hopefully 
you didn't pick something too hard. Use vendor migration tools (these are free, 
because once you migrate vendors hope you f ll spend.). If it doesn't work, hide it. 

6. Virtualize Some Storage 

You're now a pro at spinning up VMs, but that pesky storage is a problem. Think 
about it. A VM crashes, you want to spin up a replacement; but, OMG, the DATA! 
Don't store your data in a VM. That's crazy talk. Virtualized data belongs in virtualized 
storage, on a virtualized Storage Area Network (SAN). But skip the too-pricey Fibre- 
spelled-the-British-way and all that specialized SAN hardware. Go straight to iSCSI, 
which is all software, free and easy. 


7. Manage, Virtually 

Holy cow, you've built a small empire! Now you know what they meant by server 
sprawl. Is that VM down? Is this one overloaded? Where's that new OS boot image? 
Better start managing this stuff. Fortunately, vendors are lobbing free management 
tools over the wall. Microsoft's Hyper-V Vista Management thingy. Sun's XVM Op 
Center, and many more. Some aren't free, but darn cheap: VMware's Virtual Center. 
You'll get dashboards. You'll get graphs. You'll be in control. Maybe. 



fusion 


9. Break into Blades 

Is it hot in here? Let's move those servers out of your office, man! By now 
management has given you a blank check, thanks to all the savings your virtualization 
adventures have generated. In the land of the V, the multi-core box is king. And the 
king of processor cores is undoubtedly the Blade Server, which concentrates a dozen 
or more servers in a single rack shelf, each with four, eight, maybe sixteen cores. 
Blades are the last word in economies of scale, so invest. 


10. Fail Gracefully 

When a real server dies, you have to get out screwdrivers and flashlights and 
whatnot, and spend hours fixing it. When a fake server dies, nothing bad happens- 
provided you've played your cores right. Every virtualization technology includes 
support for automatic fail-over: something dies, and something else is birthed to 
take its place. You fix broken things later. Learn about failover mechanisms and 
incorporate them at the start of every V project. Because fail-over will save your 
vacation. 
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8. Target the Basic Desktop 

Good morning, Mr. Phelps. Desktop users have gone amuck. They are taking too much 
dang time to support because they keep installing stuff that breaks other stuff. This 
must stop. Your mission, should you decide to avoid insanity, is to virtualize desktops, 
so they can be made all the same, totally mobile for when nobody has their own 
office anymore, and easy to manage. And cheaper, too. Start with the basic desktop: 
user's that need only email and Office. They have no pull. 
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structure on your network, whether you're using Micro¬ 
soft DNS or BIND. (For information about the security 
differences between BIND and Microsoft DNS, see the 
sidebar "Microsoft DNS vs. BIND," page 34.) 

DNS Server Attacks 

To secure a DNS server, you need to understand how 
others might exploit it. The most common threats are 
Denial of Service (DoS) attacks, tampering with DNS 
records, and information gathering. DoS attacks are 
probably the most common threat because they're 
remarkably easy to pull off, thanks to the large number of 
incorrectly configured DNS servers on the Internet. DNS 
servers are often the launching points for DoS attacks, 
wherein an attacker uses a DNS server that allows 
recursion to pummel another server with packets. This 
kind of attack starves the target server of resources and 
prevents legitimate users from accessing it. 

DNS tampering, which takes several forms, is less 
common but still a threat. One common method of 
DNS tampering is cache poisoning, in which an attacker 
injects fake records into a DNS server's cache. Other 
methods of modifying DNS records include forged 



Secure 

V0UR DNS 

Servers 

T he DNS protocol is peculiar. It's one of the oldest, most universally 
used, and most crucial of all networking protocols, but it's still the 
source of many network security problems. DNS has some funda¬ 
mental limitations, but there's no reason for it to be the weakest link 
in your organization's security. 

Perhaps it's DNS's apparent simplicity that breeds complacency 
toward DNS security. It's easy to set up a DNS server and forget about it, but 
an incorrectly configured and neglected DNS server 
can be a significant security problem. DNS services, as 
providers of network information, will always be targets 
for reconnaissance and information gathering, but 
careful planning and vigilance will minimize the risk of 
malicious hackers using your own servers against you. 

You can do much to build a solid and secure DNS infra¬ 
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packets, man-in-the-middle attacks, and 
rogue DNS servers. In addition to modify¬ 
ing records, attackers use DNS servers for 
information gathering through DNS server 
mining, zone transfers, and DNS packet 
interception. Properly configured DNS serv¬ 
ers can greatly limit your exposure to all 
these tactics. 

Isolate DNS Functions 

The first step to preventing attacks on DNS 
servers is to plan your network infrastruc¬ 
ture so that you isolate DNS server func¬ 
tions. The term DNS server describes two 
very different functions—a fact that can lead 
to confusion during configuration. A DNS 
server can be an advertiser of information, 
or it can be a gatherer (resolver) of informa¬ 
tion stored elsewhere. To maximize security, 
it should never perform both functions 
simultaneously. 

Your DNS advertiser stores and pub¬ 
lishes authoritative records about a domain 
that you control. The DNS advertiser could 
be a public DNS server, which tells outsiders 
how to reach your website or mail servers, 
or an internal Active Directory DNS server, 
which tells clients where to find resources 
such as domain controllers. In contrast, 
your DNS resolver accepts DNS requests 
from within your organization and contacts 
outside DNS servers as necessary to locate 
host information. DNS resolvers can cache 
records to speed up future lookups and can 
act as forwarders to redirect client lookups 
to different DNS servers. 

Most DNS servers work fine performing 
both functions at once, and organizations 
commonly have several DNS servers that 


perform both. This practice, however, is 
the primary reason so many DNS servers 
are vulnerable. You should have at least 
three distinct server roles on your network: 
Internet-facing DNS advertisers for publicly 
available servers, private DNS advertisers 
for AD and other internal DNS records, and 
DNS resolvers to perform lookups, caching, 
and forwarding for internal clients. 

You should split these roles to improve 
performance and limit exposure to cache 
poisoning and DoS attacks. To further miti¬ 
gate DoS attacks, you should have at least 
two servers in each role. Although many 
companies use a single DNS server for all 
roles, isolating server roles is always the best 
practice, because even if a configuration is 
not vulnerable now, it could become vulner¬ 
able in the future. 

Carefully securing all DNS server roles is 
important, but I want to focus on the most 
crucial role: the Internet-facing advertisers. 

Public DNS Advertisers 

Your Internet-facing DNS advertisers are the 
only DNS servers visible outside your net¬ 
work, so you need to limit the information 
stored on them; otherwise, attackers might 
exploit them. Public advertisers should hold 
only public host records and should publish 
records only for servers accessible from the 
Internet—for example, web, mail, and FTP 
servers. Public advertisers should contain 
only public IP addresses and other public 
records such as Sender Policy Framework 
records and basic contact information. If 
any of your network adaptors point to your 
public DNS servers, chances are you have a 
problem to fix. 


Although controlling information is 
important, your primary strategy for secur¬ 
ing public advertisers should be to make sure 
they respond only to requests for the records 
they hold. They should never perform DNS 
lookups or look up other information on 
behalf of someone requesting records. Limit¬ 
ing responses will eliminate cache poisoning 
and prevent others from using your DNS 
server as a reflector in a DoS attack. Several 
steps are necessary in both BIND and Micro¬ 
soft DNS to secure public advertisers. 

Disable Recursion 

Recursion allows a DNS server to track 
down a host record on behalf of another 
server. The problem with recursion is that 
in the process of performing lookups for 
others, a DNS server might be vulnerable 
to cache poisoning. Furthermore, attackers 
often use recursive DNS servers as part of a 
distributed DoS attack. 

Attackers perform DoS attacks by creat¬ 
ing large DNS records on servers that they 
control, then sending thousands of requests 
to recursive DNS servers all over the Inter¬ 
net. The requests are spoofed to look as if 
they come from a single IP address, so each 
DNS server will grab the record, cache it, 
and return it to the spoofed IP address. By 
repeating this process, the attacker can flood 
a target server with packets. The only way 
to prevent the flood would be to configure 
every public DNS server on the Internet to 
block recursive queries. Fixing the estimated 
half-million DNS servers that allow recur¬ 
sion is impossible, but you can do your part 
by fixing your own servers. 

To disable recursion with Microsoft DNS, 
open the DNS Management Console, right- 
click the computer name in the left pane, 
and select Properties. Click the Advanced 
tab and select the Disable recursion check 
box, as Figure 1 shows. Also, confirm that 
the Secure cache against pollution option is 
selected. 

If you use BIND, you can disable recur¬ 
sion by adding the following to the options 
section in named.conf: 

Options { 

recursion no; 

}; 

Note that with BIND, you can use an allow- 
recursion ACL to permit recursion only from 


Microsoft DNS vs. BIND 

You might ask which is more secure, Microsoft DNS (which comes with Win¬ 
dows) or the more common BIND. Most organizations that have Windows-based networks rely 
on Microsoft DNS because it's a core component of Active Directory, but many people claim 
that BIND is more secure. 

Comparing the security of the two products is difficult. BIND allows for finer configuration 
and has full DNS Security Extensions support, but it has a longer history of security flaws than 
Microsoft's DNS implementation. Microsoft DNS is easier to configure, so some argue that 
there's a smaller chance for configuration errors. However, because it's easy to configure, inex¬ 
perienced administrators might use it and introduce errors. Ultimately, you can build a secure 
DNS server with either of the two products. Unlike most security vulnerabilities, DNS problems 
are more often a result of configuration errors rather than software flaws. 
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Figure 1: Disabling DNS recursion 



Figure 2: Limiting the IP addresses DNS listens to 

trusted IP addresses. Although this might be 
the only possible solution in some configu¬ 
rations, the best protection is to prevent all 
recursion on public DNS servers. 

Limit Zone Transfers 

A surprisingly common DNS server mistake 
is allowing all hosts to perform zone trans¬ 
fers and allowing all records for a zone to 
be returned. Zone transfers let DNS servers 
share information, but you should be careful 
to limit which hosts can request them. If you 
don't normally allow servers to update each 


other, you can completely dis¬ 
able zone transfers. 

To limit zone transfers with 
Microsoft DNS, open the DNS 
Management Console, right- 
click the domain you want 
to configure, click Properties, 
then access the Zone Transfers 
tab. If you want to enable zone 
transfers, be sure to allow only 
servers listed on the Name 
Servers tab or use specific IP 
addresses. Never allow zone 
transfers to all servers. 

With BIND, you control 
this setting in named.conf. 
You can make the setting 
in either the global options 
section or individual zone 
sections. Keep in mind that 
settings in a zone section 
override that zone's global 
options, so the best way to 
manage zone transfers is to 
prevent them globally, then 
configure individual zones to 
allow zone-transfer requests 
only from certain IP addresses. 
To do so, add to named.conf 
as follows: 

Options { 

recursion no; 
fetch-glue no; 
allow-transfer { none; }; 

zone "example.com" inf 


allow-transfer 
( 192.168.0.15; ); 

}; 

Reduce Exposure 

To prevent abuse, it's important to limit all 
network services to specific ports and IP 
addresses. You should always use a packet 
filter, such as a firewall or router, to limit 
access to your DNS servers, and you should 
configure limitations on the servers them¬ 
selves. To configure Microsoft DNS to listen 
only on specific IP addresses, you can open 
the DNS Management Console, right-click 
the computer name, select Properties, and 
select the Interfaces tab. You can then enter 
specific IP addresses you want to listen on, 


www.windowsitpro.com 


as Figure 2 shows. 

With BIND, you can set the listening IP 
address as a global option or a zone option 
in named.conf as follows: 

Options { 

recursion no; 
fetch-glue no; 
allow-transfer { none; }; 
listen-on {192.168.0.8; }; 

}; 


With Microsoft DNS, it's possible to man¬ 
age a remote DNS server using the remote 
procedure call (RPC) protocol. If you don't 
use this feature, you should disable RPC to 
reduce your attack surface. To do so, you 
must edit the server's registry. Using Regedit, 
locate HKEY_LOCAL_MACHINE\SYSTEM\ 
CurrentControlSet\Services\DNS\Param- 
eters, and create a DWORD value named 
RpcProtocol. Set this value to 0, and restart 
the DNS server for the setting to take effect. 

You Can Do More 

At this point, your DNS server won't allow 
recursive DNS requests from others, won't 
attempt to answer queries outside its zones, 
will permit zone transfers only to trusted 
hosts, and will listen only on the IP addresses 
you specified. If it contains only public DNS 
records, the server is now secure enough to be 
a public DNS advertiser. With prudent firewall 
configuration, careful patch management, 
and other security best practices in place, you 
can be confident that your DNS server isn't a 
threat to your network or others. 

However, you can do more. Using IPsec 
between trusted hosts and implementing 
the DNS Security Extensions (DNSSEC) 
and Transaction Signature extensions can 
further increase the integrity and confiden¬ 
tiality of your DNS traffic. Careful server 
hardening will prevent other types of attacks 
on your DNS server. Finally, a good network¬ 
monitoring system can warn you of impend¬ 
ing attacks. ^ 

InstantDoc ID 100432 



Mark Burnett 

(mburnett@xato.net) is an inde¬ 
pendent consultant specializing in 
Windows security. He is a Security 
MVP and the author of several 
books, including Perfect Passwords 
and Hacking the Code (Syngress). 
Visit Mark's blog a t xato.net. 


We're in IT with You 


Windows IT Pro 


DECEMBER 2008 35 












































Don’t despair. EventSentry® has the answers. 

Whether you need to get real-time event log alerts, consolidate your logs, ensure that services or 
processes are running, monitor system performance or track logons, EventSentry® knows what’s going on 
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FEATURED 


Test for Numerous 
Conditions with 


PowerSheirs 
switch Statement 


W indows PowerShell's switch statement is a power¬ 
ful language construct that lets you test for specific 
conditions, similar to an if statement. However, 
a switch statement is easier to implement when 
you want to evaluate numerous conditions. Let's 
look at the various components that make up the 
switch statement and explore howto use them to automate such tasks 
as retrieving System event log entries and performing certain actions 
based on the type of entry, and moving and deleting files based on 
their filenames. 

Creating Switch Statements 

The switch statement compares one or more values to one or more 
conditions. For each condition that evaluates to true, the statement 
runs the script block associated with that condition. To better understand how 
a switch statement works, let's take a look at its syntax: 



switch <options> (<collection>) 

{ 

condition 1> {<script block 1>} 
[<condition 2> {<script block 2>}] 
^condition 3> {<script block 3>}] 
[<condition n> {<script block n>}] 
[default {<default script block>}] 

} 


The first line begins with the keyword switch, followed by one or more 
options and a collection. The switch statement supports five options that let 
you, for example, use wildcards and regular expressions. The collection, which 
is enclosed in parentheses, contains what you're checking (e.g., events, files). It 
can consist of zero or more elements. 

The braces in the second and last line enclose the switch statement's script 
block. The first line in this block includes a condition and that condition's script 
block, which is also enclosed in braces. If the condition evaluates to true, the 
condition's script block runs. You can include as many condition/script block 
pairs as necessary. In addition, you can include an optional default clause that 
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■ POWERSHELL’S SWITCH STATEMENT 


Listing 1: Code That Retrieves the Most Recent 
Entry in the System Event Log 


$event = Get-EventLog "system" -Newest 1 
switch($event.EntryType) 

I { 

(A) "error" 

{ 

"ERROR: " + $event.Message 

} 

"warning" 

{ 

"WARNING: " + $event.Message 

} 

"information" 

{ 

"Info only: " + $event.Message 

} 

} 



contains a script block, which runs only 
when none of the conditions evaluate to 
true. 

Now let's look at an example. The code 
in Listing 1 defines the $event variable and 
uses that variable in a switch statement. 
The first line uses the Get-EventLog cmdlet 
to retrieve the most recent event from the 
local computer's System event log. When 
you use this cmdlet to retrieve System event 
log entries, it returns a Microsoft .NET 
Framework System.Diagnostics.EventLog- 
Entry object for each event. This object 
returns the information you typically find in 
a System event log entry, such as the when 
the event occurred, the type of event, and 
the event's message. 

In Listing 1, the Get-EventLog cmd¬ 
let assigns the information from the most 
recent event to the $event variable. Using 
the EventLogEntry object's EntryType prop¬ 
erty, the switch statement retrieves the type 
of event and compares that element to the 
defined conditions. 

In a switch statement, you can simply 
specify a value as a condition. PowerShell 
then automatically compares that value 
to each collection element. As callout A in 
Listing 1 shows, the first condition is defined 
as error. When this value is equal to the col¬ 
lection element (i.e., the EntryType property 
value), the condition evaluates to true and 
the script block runs. In other words, when 
the event type is error, the script block 
outputs the word ERROR: followed by the 
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event's message, which is obtained using the 
EventLogEntry object's Message property. 

The switch statement's script block con¬ 
tains two other conditions, but you can 
define as many conditions as necessary. 
For each condition that evaluates to true, 
the associated script block runs. If multiple 
conditions evaluate to true, all associated 
script blocks run. In this example, only one 
condition script block will run because the 
collection contains only one element. 

Note that, by default, the switch state¬ 
ment is case insensitive. For example, you 
can spell the first condition as error, ERROR , 
or Error, and the results will be the same. 
However, you can override this default 
behavior by specifying the -casesensitive 
option, as in 


switch -casesensitive ($event.EntryType) 


One other point I want to make concerns 
the collection. The code in Listing 1 retrieves 
the EntryType property value as part of 
the collection. However, you can retrieve 



Figure 1: Retrieving the 10 most recent entries in the System event log 
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Listing 5: Code That Uses Wildcards to 
Move Files 


Jfiles = dir C:\ArchivedFiles\*.txt 
switch -wildcard ($files) 

{ 

(A) *2007* 

move $_ C:\ArchivedFiles\2007 
$_.name + " moved." 

} 

*2006* 

{ 

move $_ C:\ArchivedFiles\2006 
$_.name + " moved." 

} 

default 

{ 

$_.name + " older than 2006." 

} 

} 


Listing 6: Code That Uses Regular 
Expressions to Delete and Move Files 


Jfiles = dir C:\ArchivedFiles\*.txt 
switch -regex (Jfiles) 

{ 

(A) archive.._200[3-5].txt 
{ 

del J_ 

J_.name + " deleted." 

} 

(B) archive.._2006.txt 
{ 

move J_ C:\ArchivedFiles\2006 
J_.name + " moved." 

} 

default 

{ 

move J_ C:\ArchivedFiles\2007 
J_.name + " moved." 

} 

} 


that value in the conditions, as shown in 
Listing 2. 

Notice that the collection now includes 
only $event. The conditions use the $_ built- 
in variable to reference the current $event 
value, then use the EntryType property to 
retrieve the entry type. When you take this 
approach, you must define the entire condi¬ 
tion and enclose it in braces. For example, 
the condition {$_.entrytype -eq "error"} 
specifically says that the EntryType value 
must equal error. Listing 2 will return the 
same results as Listing 1. 

When working with a collection that 
contains one element, you'll probably want 
to stick with the first approach because it's 
simpler. However, when a collection con¬ 
tains multiple elements, you have to use the 
second approach if the switch statement 
can't work with the collection as is. For 
example, if you use Get-EventLog to return 
multiple system events, you must retrieve 
the EntryType value in each condition, as 
Listing 3 shows. In this code, the collection 



Figure 2: Moving files with the help of wildcards 


specifies only the vari¬ 
able name $events. This 
collection contains the 
last 10 system events. 

The conditions use the 
EntryType property to 
retrieve the entry type. 

Listing 3 returns results 
similar to those in Fig¬ 
ure 1. 

If you refer back to 
the switch statement's 
syntax, notice that the 
last line in the state¬ 
ment's script block is a 
default clause. The code 
in Listing 4 uses a default 
clause rather than defin¬ 
ing a third condition. Any 
event that doesn't con¬ 
tain an EntryType value 
of error or warning is treated as a default, 
which means that the returned message will 
begin with Info only:. Listing 4 returns the 
same results as Listing 3 but with a bit less 
work. 

Using Wildcards and Regular 
Expressions 

By default, the string value specified in the 
switch statement's script block has to exactly 
match a condition for that condition to eval¬ 
uate to true. This would be the same as using 
the -exact option in a switch statement. 
Even though the option isn't necessary for 
exact matches, 
a person might 
include it to 
ensure that the 
intent of the 
code is clear, 
should anyone 
else review the 
code. 

Besides the 
-exact option, 
there are options 
that let you use 
wildcards (-wild¬ 
card option) or 
regular expres¬ 
sions (-regex op¬ 
tion) in switch 
statements. (If 
you're unfamiliar 
with wildcards 


or regular expressions, see the PowerShell 
help topics about_wildcard and about_reg- 
ular_expression.) For example, the switch 
statement in Listing 5 uses wildcards to 
move files. The first line retrieves a list of text 
files and assigns them to the $files variable, 
which becomes the collection. Notice that 
($files) is preceded by the -wildcard option, 
which tells PowerShell that wildcards will 
be used. 

For example, the condition in callout A 
in Listing 5 uses the wildcard *2007*, which 
means the filename must contain the string 


2007, with any number of characters on either 



Figure 3: Deleting and moving files with the help of regular expressions 
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Listing 7: Code That Uses the -regex and 
-casesensitive Options 


$files = dir C:\ArchivedFiles\*.txt 
switch -regex -case ($files) 

{ 

archive.._200[3-5].txt 
{ 

del $_ 

$_.name + " deleted." 

} 

archive.._2006.txt 
{ 

move $_ C:\ArchivedFiles\2006 
$_.name + " moved." 

} 

default 

{ 

move $_ C:\ArchivedFiles\2007 
$_.name + " moved." 

} 


side. If a filename contains the string 2007, the 
switch statement moves the file to the 2007 
folder and displays a message indicating that 
the file has been moved. Because the collec¬ 
tion contained eight files, PowerShell returns 
eight messages, as shown in Figure 2. 

Like Listings 3 and 4, Listing 5 uses only 
a variable name (e.g., $files, $event) for the 
collection. Unlike Listings 3 and 4, Listing 5 
specifies only the $_ built-in variable in each 
condition and not $_.PropertyName (where 
PropertyName is the name of the property 
you want to retrieve). Sometimes the only 
way to know which technique will work is 
through trial and error. 

When you want to use regular expres¬ 
sions, you use the -regex option. For exam¬ 
ple, the switch statement in Listing 6 uses 
two regular expressions, the first of which 




^Windows PowerShell 


PS C:\> Sfile 
:PS C-\> switc! 

» { 

» 

» 

!» 

» 

» 

» 

» 

» 

» 

» 

» 

» 

» 

» 

» 

» > 

» 

A r c Ji iu e 01 _2 004. t xt 
ArcJiiue02_2004.txt 
ArcJiiue03_2005.txt 
iArchiue04_2005.txt 
iArchiue05_2006.txt 
iArchiue06_2006.txt 


archive.._200[3-5].txt 


name 


archive 


.2006 .txt 


C:\ArchivedFilesS2006 
+ " mooed.'' 


default 


C:\ArchivedFiles\2007 
+ mooed." 


.Archive07_2007.txt 
Archioe08_2007.txt 
PS C:S> 


is in the condition 
in callout A. This 
condition uses the 
regular expression 
archive.._200[3-5] 

.txt to delete any 
file whose filename 
begins with the 
string archive and 
ends with the string 
_2003.txt, _2004.txt, 
or _2005.txt. The 
condition in callout Figure 5: Using a file's contents as a collection 
B uses the regular 


expression archive.. _2006. txt to move any file 
that begins with the string archive and ends 
with the string _2006.txt to the 2006 folder. 
The default clause moves all other files to 
the 2007 folder. Figure 3 shows the messages 
outputted from the code in Listing 6. 

As I mentioned previously, the switch 
statement supports the -casesensitive 
option, which lets you make the match¬ 
ing process case sensitive. You can use 
this option with other options, as Listing 7 
shows. In this code, notice that I use -case 
instead of - casesensitive. You can use a short 
version of an option name if PowerShell can 
distinguish the correct option. 

With the addition of the -casesensitive 
option, the filenames' cases must exactly 
match. For example, the second condition 
(archive.._2006.txt) evaluates to true for 
archive05_2006.txt but not for Archive05_ 
2006.txt. Because all eight files begin with 
uppercase, the default 
condition applies and 
all eight files are moved 
to the 2007 folder, as 
shown in Figure 4. 


switch -regex -file 
C:\ArchivedFi1es\Archive08_2007.txt 
{ 

"line 1\)$" { "Line 1: $_" } 

"line 2\)$" { "Line 2: $_" } 

"line 3\)$" { "Line 3: $_" } 

"line 4\)$" { "Line 4: $_" } 

default { "Other line: $_" } 

} 

As this example shows, you must include 
the file's pathname after the keyword -file. 
In the switch statement's script block, the 
first condition specifies that a line must end 
in the string line 1). If the condition evalu¬ 
ates to true, the phrase Line 1: is printed, 
followed by the line itself ($_). If none of the 
four conditions evaluate to true, the default 
clause runs, as shown in Figure 5. 

Moving Forward 

The switch statement is a valuable tool 
for working with collections and multiple 
conditions. You can make the statement 
as simple or as complex as necessary. For 
example, you can embed other types of flow 
control statements within the conditions' 
script blocks. Be sure to try out various 
configurations and access different types of 
data stores to better learn how to take full 
advantage of all that the switch statement 
has to offer. ^ 


Figure 4: Result of using a case-sensitive switch statement 


Working with a 
File's Contents 

Another useful option 
is -file. You use this 
option when you 
want to use a file's 
contents as the col¬ 
lection. Each line in 
the file represents an 
element in the col¬ 
lection. For example, 
the following switch 
statement retrieves 
the Archive08_2007.txt 
file's contents: 
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W indows SharePoint Services (WSS) 3.0 and Microsoft Office SharePoint 
Server (MOSS) 2007 let users contribute content to lists and libraries via 
email. This ability adds to existing methods such as uploading through 
the browser and offers end users more flexibility in the way they con¬ 
tribute to team sites. Email is an especially useful way of contributing 
SharePoint content for the road warrior who might not always have a 
direct connection to the network. 

Microsoft SharePoint Portal Server 2003 let you email documents into document librar¬ 
ies via an Exchange Server mail-enabled public folder—a cumbersome, circuitous method. 
WSS 3.0 and MOSS 2007 improve the process with the ability to send messages directly 
into many types of lists and libraries without relying on Exchange public folders. This is a 
welcome development, but there are some implementation issues that could trip you up 
along the way. In this article, I show you how emailing works with SharePoint 2007 and 
highlight some problems you should be aware of. SharePoint also supports outgoing email 
for notification of various events, but that's outside the scope of this article. 


Follow these 
guidelines to 
email-enable 
SharePoint for easy 
updates 

by Kevin Laahs 


Basic Architecture 

First, fd like to make it clear that SharePoint is not an 
SMTP engine, and it doesn't care what messaging sys¬ 
tem you use; Exchange (or any other specific messaging 
system) isn't required to be able to email items into 
SharePoint lists and libraries. Essentially, SharePoint 
monitors a folder location looking for correctly format¬ 
ted SMTP messages. SharePoint doesn't care how those 
messages arrive in the folder—it just opens them up 
and tries to associate each message with a list or library 
somewhere in the SharePoint farm. It doesn't return 
delivery failures nor does it process requests for read or 
delivery receipts—which is what I mean by it not being 
an SMTP engine in itself. 

In a typical environment, the folder that SharePoint 
monitors is the drop folder of the SMTP service run¬ 
ning on web front-end servers within the farm. The 
general messaging infrastructure is configured such 
that SharePoint-bound messages are routed to the 
SMTP service. How this routing is achieved differs in 
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each organization, but typically SharePoint 
is identified using its own SMTP namespace, 
and a combination of mail exchanger (MX) 
records and messaging connectors route 
traffic appropriately. 

If an item in the monitored folder can be 
successfully parsed as an SMTP message, 
SharePoint uses the To address to look up 
the destination list or library in the current 
farm. Depending on various configuration 
options—such as who is allowed to send mail 
to a particular list and the type of list it is—the 
email and attachments are added to that list; 
they become normal list items and therefore 
benefit from core SharePoint services such as 
search and views. 

Configuring Incoming-Email Settings 

For this emailing structure to be successful, 
you have to configure how and where the web 
front-end servers monitor the drop folder, 
how to match incoming email addresses to 
lists and libraries, and how to control who is 
allowed to do what via email. The first step 
is to enable processing for incoming email 
at the farm level through the Operations tab 
in SharePoint Central Administration. With 
incoming mail enabled, SharePoint starts 
a background timer job called Windows 
SharePoint Services Incoming E-Mail that 
runs every minute on all web front-end serv¬ 
ers to poll the drop folder for new messages. 
As with all timer jobs, this job is controlled 


by the Windows SharePoint Services Timer 
service; if the Timer service isn't running, 
incoming email won't be processed. 

The incoming-email job runs by default 
on all front-end servers, but the configura¬ 
tion for the drop folder is set farmwide. 
Therefore, all web front-end servers in a 
farm that run the incoming-email service 
must have a drop folder in the same loca¬ 
tion. So, if the drop folder is configured as 
C:\Drop, all web front-end servers must 
have a C:\Drop folder and your mail routing 
topology must ensure that incoming mes¬ 
sages get deposited in this folder. 

You should enable the Windows 
SMTP service on your front-end servers to 
receive email from other SMTP servers— 
for example, so you can send messages 
from Exchange 2007 directly into WSS. 
The automatic configuration mode on the 
Configure Incoming E-Mail Settings page 
in Central Administration meets the needs 
of most organizations. However, if you're 
not using the Windows SMTP service and 
want to populate a drop folder via some 
other mechanism, you'll need to manually 
configure the settings using the advanced 
mode, which reveals configuration settings 
for the drop folder in the UI. Note that using 
the advanced mode disables the ability to 
specify safe SMTP servers. 

In the automatic mode, you can indi¬ 
cate that all incoming mail is acceptable or 


you can specify a list of IP addresses that 
equate to those SMTP servers you're happy 
to process mail from. Your choice depends 
on your overall SMTP routing topology. 
For example, you might have one central 
SMTP server that all mail passes through 
and you want this server to be the only one 
from which you're willing to process mail. 
The incoming-email service analyzes the 
Received header inside each message it 
picks up from the drop folder to determine 
whether to accept the message. 

If you're not using the automatic mode, 
you have to ensure that the account used 
to run the Windows SharePoint Services 
Timer service has modify permissions on 
the specified drop folder so that it can delete 
messages after processing them. Failing to 
do so results in messages being delivered 
multiple times. 

The last piece of configuration for this 
stage is to indicate which SMTP domain your 
WSS farm processes mail for. For example, 
with an email address of mi6@wss.spyrus 
.com, the SMTP domain is wss.spysrus 
.com. In this example, any email-enabled 
list or library would have an address of 
something@wss.spysuis.com. The challenge 
from an infrastructure point of view is to 
ensure that every email message addressed 
to wss.spysrus.com finds its way to a web 
front-end server with the incoming email 
service enabled. You could do this many 
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Figure 1: Email settings for a document library 
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different ways, but it most likely involves 
setting up MX records in DNS and connec¬ 
tors from other internal mail systems. For 
example, in Exchange 2007 you could set 
up a Send connector that handles the wss 
.spysrus.com namespace and indicate that 
you want to forward all messages for that 
address space to a smart host—the smart 
host being your web front-end server. 

Enabling Delivery to a List or 
Library 

After email is configured at the farm level, 
site administrators can email-enable indi¬ 
vidual lists and libraries. Not all list types 
can be enabled for email, but for those that 
can, you'll see an Incoming email settings 
option under the Communications sec¬ 
tion when viewing the settings for the list. 
The settings available depend on the list 
type—for example, a document library asks 
you what you want to do with attachments 
and a blog list lets you choose whether the 
incoming item is published immediately. 
Figure 1 shows the settings available for a 
document library. 

Every list you mail-enable needs to have 
an email address that's unique across the 
entire farm. But the site administrator can 
choose only the user part of the address, 
which SharePoint stores in the AllLists table 
within the content database associated with 
the site collection. The domain part of the 
address is configured at the farm level. 

This naming method for email addresses 
probably isn't practical for most organi¬ 
zations. Why? First, SharePoint offers no 
governance on names, so it's a first-come, 
first-served situation for picking the user 
part of the name. And people will most 
likely choose common names for common 
lists—for example, what would you want the 
email address for your Announcements list 
to be? Announcements@domam.com? But 
so does everyone with a SharePoint site in 
the farm, and there's no way to check what 
other email addresses are currently in use 
other than by trial and error—SharePoint 
blocks you when you try to create a name 
that already exists. So this leads to end-user 
frustration. SharePoint also provides no way 
to validate that the email address conforms 
to corporate policies for formatting or the 
use of invalid or inappropriate names. 

Furthermore, there's no way for the 
sender of a message to know whether it 


was successfully delivered to the correct 
SharePoint list—if, indeed, it was delivered 
at all—except by physically visiting the 
intended destination. The SMTP service 
initially receives the incoming email mes¬ 
sage, but the service isn't tied to SharePoint 
in any way and therefore can't validate 
that the email address points to a list or 
library. 

The last aspect to mention at this stage 
is the security that you can set for incom¬ 
ing email. You can choose to accept mail 
based only on the permissions set on the 
list or library itself or to accept mail from any 
sender. 

Directory Management Service 

If you've sorted out your SMTP routing 
topology, you can now send items to 
SharePoint by entering the location's email 
address in a message. However, raw email 
addresses aren't necessarily user-friendly, 
so most email systems let you look up email 
addresses using common terms, such as 
first name and last name. WSS can leverage 
Active Directory (AD)—or a custom direc¬ 
tory—for this very purpose via something 
called the Directory Management Service 
(DMS), a web service (SharepointEmailWS 
.asmx) that's installed out of the box on a 
web front-end server and enabled at the 
farm level using the incoming-email set¬ 
tings. Let's see how the DMS works and what 
problems it solves—and what problems it 
introduces to the mix. 

The DMS creates Contact objects in AD 
to represent email-enabled lists and librar¬ 
ies. (It can also create distribution groups to 
represent the members of team sites, but 
that functionality is outside the scope of 
this article.) Your end users should be able 


to benefit from these entries with the same 
address look-up functionality and email 
distribution as with other email-enabled 
objects. I say should because enabling the 
DMS creates some problems you won't have 
if you don't use it. Note that the DMS isn't 
mandatory for supporting incoming email. 

Configuring the DMS is a matter of 
specifying an organizational unit (OU) in 
AD where the contacts will be created. Best 
practice is to create a MOSS-specific OU for 
easier all-around management. You need 
to provide the SharePoint Central Admin¬ 
istration application pool account with 
write access to the OU, and therefore you'll 
have to work with whoever's in charge of 
your AD. You must also specify the name 
of the SMTP server for incoming mail— 
ultimately, this information finds its way 
onto the email addresses associated with 
the contacts that the DMS creates. Note 
that this address can be different from the 
Incoming E-Mail Server Display Address 
that you set during incoming-email con¬ 
figuration. The DMS-created address is 
the more user-friendly one that's displayed 
through the SharePoint UI, and you might 
have to subsequently update the AD-cre- 
ated object with this address so that it's a 
valid address to which mail can be routed. 
You can also indicate whether the AD 
Contact objects can receive mail only from 
authenticated users, which results in an 
Exchange-specific attribute being set on 
the Contact objects in AD. So, if you're 
using a different email system, this setting 
won't be applicable. 

Using the GAL—or Not 

Table 1 shows the main attributes the DMS 
sets on Contact objects in addition to stan- 


Table 1: Active Directory Attributes Used for Email 

AD Attribute 

| Definition 

Cn 

The name part of the email address, specified by the user 

displayName 

The name of the list appended to the name of the site the 
list belongs in 

givenName 

The name of the site the list belongs in 

mailNickname 

Same as Cn 

msExchRequireAuthToSendTo 

True or False, depending on DMS configuration 

Name 

Same as Cn 

Sn 

The name of the list 

targetAddress 

The Cn followed by the incoming mail server specified 
during DMS configuration 
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dard system attributes. There are some lim¬ 
itations with these settings, however, not 
least the fact that in a pure Exchange 2007 
environment, these settings are insufficient 
for a valid entry to appear in the Global 
Address List (GAL). Exchange 2003 and 
Exchange 2000 include an asynchronous 
component called the Recipient Update 
Service (RUS) that stamps AD objects with 
attributes such as proxyAddresses and 
showInAddressBook that Exchange relies 
on to identify recipients and route mail. 
This method of stamping addresses was 
removed from Exchange 2007; instead, all 
attributes are stamped at creation time— 
but only if you use Exchange Management 
Console (EMC) or Exchange Management 
Shell (EMS) to create your objects in the 
first place! 

Therefore, to get your contacts cor¬ 
rectly stamped in an environment that 
doesn't have RUS, you need to modify them 
after they're created. This process is dis¬ 
cussed in the Exchange team's blog entry, 
"Good bye RUS" ( msexchangeteam.com/ 
archive/2006/10/02/429053.aspx ). Essen¬ 
tially, you need to update all relevant address 
lists with the following EMS commands: 

Get-EmailAddressPolicy | 

Update-Emai1AddressPolicy 
Get-AddressList | Update-AddressList 
Get-GlobalAddressList | 
Update-GlobalAddressList 

The second limitation with the Contact 
objects is that they aren't configured for 
attachments to be correctly sent to them. 
This problem is documented in the Micro¬ 


soft article "Attachment is missing from an 
e-mail message that is sent to a Microsoft 
Windows SharePoint Services 3.0 document 
library" (support.microsoft.com/default 
.aspx?scid=kb;en-us;926891) , which explains 
that you have to set the mAPIRecipient 
attribute to false and the internetEncoding 
attribute to 1310720 before attachments 
will be sent correctly to the Contact object. 
Note that if you aren't using the DMS to 
enable GAL lookup, these problems don't 
occur. Exchange doesn't correctly deliver to 
the DMS-created contact because of these 
missing attributes. 

The third problem is with the display 
name that gets created and ultimately finds 
its way into the GAL. This name is usually 
the primary way someone chooses an entry 
from the GAL. However, it's highly likely 
that users have similar list and site names, 
which means that there's little to differenti¬ 
ate entries in the GAL. Remember, Share- 
Point has nothing in the UI to prevent sites 
and lists having the same tides. Figure 2 
shows an example of two team sites, both 
called Group Team Site and both having 
the out-of-the-box Team Discussion list 
mail-enabled. Which one should users 
choose? To pick the right one, they'd need 
to know the email address of the appropri¬ 
ate list—which would defeat the purpose 
of having a GAL entry in the first place. The 
existence of Contacts in the GAL could be a 
hindrance rather than a help. 

The last problem I'd like to mention is 
the lack of governance. There's no adminis¬ 
trative control in SharePoint over what gets 
put into the GAL—if you decide to enable 
the DMS, it's a free-for-all and chaos can 



Figure 2: Duplicate list names with entries in the GAL 
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certainly reign. Can you imagine if every 
team site email-enabled, say, three lists? 
How many entries in the GAL would that 
equate to in your organization? At my com¬ 
pany, that would reach the million mark. 
And, given the design of the DMS, all those 
entries would be in the same OU in AD. 
I'm not sure I know any AD administrators 
who would happily open up their AD to the 
potential for such abuse. 

Emailing Ease 

Correctly configuring all the pieces so that 
email makes it to the intended list or library 
can be tricky, but the ability to email items 
into SharePoint is certainly a useful feature, 
and the way SharePoint handles incom¬ 
ing items works well. That said, make sure 
you communicate correct expectations 
about what the features are, how contacts 
will appear in the GAL, and so forth, so 
that everyone—end users, AD admins, 
Exchange admins—knows what to expect 
when you email-enable SharePoint. Good 
communication is especially important if 
you decide to use the DMS—but remember, 
the DMS isn't mandatory. ^ 
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(kevin.laahs@hp.com) is a 
distinguished technologist at 
HP. He is coauthor of Microsoft 
SharePoint Technologies: 
Planning, Design, and 
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DocAve v5 -The world's most powerful and award-winning 
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replication, archiving, compliance, and migration. 


Unleash the power of SharePoint! 
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Recover All Essential Files 

How often have you had a user acciden¬ 
tally delete a file that couldn't be recov¬ 
ered? Windows'Recycle Bin and backup 
systems can't protect files such as those 
deleted from network shares or from 
the command line or that are too large 
to fit into the Recycle Bin. Traditional 
file recovery products can recover only 
deleted files that are in free space and 
haven't been overwritten. 

Diskeeper's Undelete 2009 retains all 
deleted files regardless of how they were 
deleted.The product sends all deleted files 
to a separate recovery bin and keeps them 
for the specified length of time. "The prin¬ 
cipal functionality of Undelete is to recover 
a deleted file. It's essentially a program 
that captures deleted files and changes 
them to a move request"said Michael 
Materie, director of product management 
for Diskeeper."Undelete allows you to do 
things like capture iterations of a Word file 
or things that become deleted across a 
network. On a file server, the recycle bin 
doesn't actually capture the file—it's gone." 

A variety of options streamline file 
removal and recovery. For instance, 
Undelete can make only certain file 
types recoverable—or only files from 
certain folders or computers. Materie 
said, "The core of the product is captur¬ 
ing and protecting the files. There's a 
variety of features that allow you to 
fine-tune that. Undelete allows you to 
tailor it to the type of files you want, 
based on file type, location, etc." 

Prices for Undelete range from 
$29.95 for Desktop Client Edition to 
$499.95 for Server Edition. For more 
information, contact Diskeeper at 818- 
771-1600 or visit www.diskeeper.com. 
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Spam Firewall Protects 100,000 
Concurrent Email Users 

Barracuda Networks launched the Bar¬ 
racuda Spam Firewall 1000 for ISPs and 
other large organizations. The new appli¬ 
ance supports as many as 100,000 concur¬ 
rent email users and 5,000 domains. The 
2U form factor includes 200GB of message- 
log storage and 750GB of quarantine 
capacity—the largest quarantine capac¬ 
ity available, according to the vendor. In 
addition, the product features redundant 
hot-swap power supplies and dual-gigabit 
Ethernet ports. You can cluster appliances 
for scalability and redundancy. The Bar¬ 
racuda Spam Firewall 1000 costs $89,999; 
subscription to Barracuda Networks'Ener¬ 
gize Update service is $24,299 per year. For 
more information, contact Barracuda Net¬ 
works at 888-268-4772 or visit www 
.barracuda.com. 

Asigra, Consonus Provide Business 
Continuity Services 

Backup and recovery vendor Asigra and 
IT managed services provider Consonus 
Technologies have teamed up to offer a 

Virtual Business Continuity (VBC) service. 
VBC is a turnkey, pay-as-you-go protection 
and recovery service 


well as hot-standby computing resources 
and recovery servers allocated from a 
VMware infrastructure. VBC currently 
provides business continuity and disaster 
recovery for Microsoft Exchange Server and 
plans to expand services to other applica¬ 
tions. For more information, contact Conso¬ 
nus (www.consonus.com) at 919-379-8000 
or Asigra (www.asiqra.com) at 416-736- 
8111, extension 101. 

Diagnose Performance Problems 
with dynaTrace 

dynaTrace Software's application perfor¬ 
mance management solution now sup¬ 
ports Microsoft Office SharePoint Server 
(MOSS) 2007. dynaTrace Diagnostics 
2.6 enables MOSS customers to manage 
performance and service-level fulfillment 
of MOSS sites, identify slow Web Parts, 
and diagnose the cause of performance 
problems in SharePoint applications. The 
product works with Visual Studio and 
Visual Studio Team System to isolate prob¬ 
lems early in the life cycle and enable quick 
resolution. For more information, contact 
dynaTrace Software at 781-466-8082 or 
visi t www.dynatrace.com. ^ 
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for enterprise data 
and applications. 
The new offering 
includes services 
such as business 
continuity/disaster 
recovery consult¬ 
ing, data protection, 
virtual or dedicated 
operating-environ¬ 
ment recovery, as 
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Toshiba 320GB 
USB 2.0 Portable 
2.5" External 
Hard Drive 

If you're an administrator of a small IT shop, 
you're probably well aware of the advan¬ 
tages of portable, external USB hard drives. 
Large enterprises can also benefit from such 
drives—for example, by using them to trans¬ 
port virtual machines (VMs) from 
network to network. 

Whether your busi¬ 
ness is small or large, 
you should checkout 
Toshiba's 320GB USB 2.0 
Portable External Hard Drive. 

Putting It to the Test 

At 3.2" x 0.65" x 5", weighing just 5.4 
ounces, the Toshiba 320GB hard drive struck 
me as a neat little gadget a bit larger— 
although lighter—than a BlackBerry.The 
device has no buttons, removable panels, or 
visible screws, and the only output is the tiny 
USB port on top. The hard drive's build qual¬ 
ity and internal shock sensor give you confi¬ 
dence in its ability to keep your data safe. 

According to the information card 
included with the hard drive, the device is 
compatible with Windows Vista, Windows 
XP, and Mac OS 10.3.9 and later. To test the 
Toshiba hard drive, I used the included foot- 
long USB 2.0 cable to connect the drive to 
my computer. Immediately, the drive opened 
the preloaded NTI Shadow backup software, 
simultaneously with a Creating Your First 
Backup PDF guide that offered easy-to-follow 
steps for accomplishing manual and auto¬ 
matic scheduled backups to the drive. 

If backup is your goal with the Toshiba 
drive, the NTI Shadow software is merely 
adequate. Although my test backup pro¬ 
ceeded fairly smoothly (a tiny blue LED at 
the unit's upper right corner flickers during 
data transfer), the software provides only 



very basic functionality. In addition, I received 
strange individual backup failures of certain 
files during my tests. For example, at one 
point, NTI Shadow's backup-completion 
notice indicated that the target 320GB drive 
didn't have sufficient space to back up a small 
video file (although the drive actually had 
280GB of remaining space). I also found the 
backup process to be somewhat sluggish. 

The slow write speeds left me wishing that 
the 5400rpm drive included a FireWire port. 

For IT use, you might find yourself delet¬ 
ing NTI Shadow and either replacing it with 
another backup solution of your choice or 
using the drive for a completely differ¬ 
ent purpose. As a monstrous USB 
storage device, the Toshiba 
hard drive is absolutely 
top-notch and 
lends itself to 
many business 
purposes—cheap 
backup scenarios, 
convenient storage, VM migra¬ 
tion, you name it. The short USB cable seems 
tailor-made for laptop users who need to 
drag and drop large chunks of data and get 
going. In situations in which a 1GB USB stick 
just doesn't cut it,Toshiba's 320GB external 
hard drive is nice to have. ^ 
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Toshiba 320GB USB 2.0 Portable 2.5" 
External Hard Drive 

PROS: Large capacity in exceedingly small, light¬ 
weight form factor gives this drive huge potential 
in many business scenarios; a bargain consider¬ 
ing its storage capacity 

CONS: Included NTI Shadow software is 
merely adequate; relatively slow write speeds; no 
FireWire port 

RATING: 

PRICE: $179 

RECOMMENDATION: Recommended for both 
small and large businesses—although for sepa¬ 
rate purposes—despite a couple reservations. 

CONTACT: Toshiba • 800-316-0920 • 
www.toshiba.com 
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www.winsupersite.com K 

SUMMARIES of in-depth product reviews* 5 
on Paul Thurrott's SuperSite for Windows 

Google Chrome Beta 

PROS: Excellent rendering engine; good 
performance; simple interface 

CONS Not easily extensible; not centrally 
manageable 

RATING: ♦♦♦♦O 


RECOMMENDATION: The release of 
Google's first Web browser, Chrome, prompted 
fears that webmasters and web application 
developers would have to deal with yet anoth¬ 
er web-browser rendering engine. However, 
Chrome utilizes the high quality WebKit 
engine, offering excellent site compatibility 
and performance. Chrome also excels with a 
stripped-down Ul.The Chrome home page, 
by default, will show you a new "tab page" 
that includes your nine most visited pages on 
the left and the sites you search on most on 
the right, in list format. If there's a disappoint¬ 
ment, it's that Chrome isn't yet as extensible 
as its competition. And it lacks such obvious 
features as a full-featured bookmark manage¬ 
ment system. Still, it's a great first effort. 

CONTACT Google • www.google.com 

DISCUSSION: www.winsupersite.com/ 
reviews/google_chrome_handson.asp 

Microsoft Internet Explorer 
8.0 Beta 2 

PROS: Excellent end-user functionality and 
security 

CONS: Compatibility is much worse than 
expected, even in Compatibility View 


RATING: ♦♦♦ 


Jason Bovberg | jbovberg@windowsitpro.com 
Paul Thurrott | thurrott@windowsitpro.com 


RECOMMENDATION: Microsoft Internet 
Explorer (IE) 8.0 Beta 2 is a surprisingly tepid 
release—its compatibility problems over¬ 
shadow its many functional and security 
improvements. The software giant pledged 
to release IE 8.0 as a standards-compliant 
browser, and it succeeded. But I've expe¬ 
rienced many issues with IE 8.0, whether I 
was using the default rendering mode or the 
compatibility mode, which renders sites as IE 
7.0 did. Many sites, including Microsoft sites, 
simply don't render correctly with this brows¬ 
er. Until this is fixed, it limits IE 8.0's appeal. 

CONTACT Microsoft • 800-426-9400 • 
www.microsoft.com 

DISCUSSION: www.winsupersite.com/ 
reviews/ie8_beta2.asp 
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Enterprise Random 
Password Manager 4.0 


To read the full review, go to www.windowsitpro 
.com and enter InstantDoc ID 100369 . 

When a member of your IT department 
leaves the company, you know you need 
to change critical passwords such as the 
domain administrator password and the 
Microsoft SQL Server systems administrator 
password—and even the four-digit combi¬ 
nation to the lock on the server room door. 
However, many companies fail to change 
the local Administrator password on individ¬ 
ual servers and workstations. And let's face 
it, who wants to take the time to do it? 

That's where Lieberman Software's 
Enterprise Random Password Manager 
(ERPM) 4.0 comes in. This product does 
more than just change passwords—it 
also manages passwords and includes a 
web-based password check-in/check-out 
procedure. Once ERPM is set up, it can even 
automatically change local Administrator 
and other service account passwords, and 
it provides full and secure access to the 
account passwords. Let me dive in and 
show you how ERPM works. 

Installing the ERPM .msi package on a 
dedicated server takes only a few seconds 
and is straightforward. A SQL Server back¬ 
end (i.e., SQL Server 2000 or later, Microsoft 
Data Engine) must be preinstalled and run¬ 
ning before you begin installing ERPM. After 
the ERPM server product is installed, you 
use a configuration wizard to set up your 
backend database. In just a few minutes, I 
was connected to SQL Server, had created a 
new database, and had ERPM talking to SQL 
Server. 

After ERPM is connected to SQL Server, 
the wizard takes you to the Deferred Proces¬ 
sor Setup screen, where you can provide 
ERPM with account credentials so that it can 
automatically change local Administrator 
and service account passwords.The account 
that you use must have local Administrator 
rights to each machine in the domain so 
that it can, for example, change the local 
passwords and restart NT Services. 

When ERPM is up and running, you 
can create and populate a group of servers 


using the GUI located under the ERPM Start 
menu item. Although you can populate the 
servers manually, I really liked having the 
option to "link" a group of servers in ERPM 
to an organizational unit in Active Direc¬ 
tory (AD). When you select this option, new 
objects that are 
added to AD will 
automatically 
show up in the 
ERPM group. 

Next, you can 
set up a schedule 
for when the 
local Administra¬ 
tor password, 
service account 
passwords, or any 
other password 
will automatically 
change. ERPM 
can also change passwords for OSs and 
database platforms other than Windows 
and SQL Server, including MySQL, Oracle, 
Linux, OS X, UNIX, Cisco, and mainframes 
such as AS/400 or OS/390. Passwords can 
be changed hourly, daily, weekly, monthly, 
yearly, or every n days. The new passwords 
are random, encrypted, and stored in SQL 
Server. 

After you've configured the local Admin¬ 
istrator password to change on a set sched¬ 
ule, you'll eventually find that you need to 
use that password. ERPM's Web Application 
lets you check out the password for two 
hours (as Figure 1 shows) if you need to 
gain access to a machine. If your business 
requires it, you can even create a workflow 
that forces certain people to be approved 
before they're given the password. After 
the password has been checked back in, 
it's changed again to keep it secure. This 
entire process is audited to ensure that only 
authorized users are viewing the password. 

ERPM earns my highest praise for a 
simple-to-use product that fills a huge hole 


in password security. The only thing that 
bothers me about ERPM is its high price. 
With a base price of $25,000, a company 
with a network consisting of 50 servers 
and 500 workstations would have to spend 
almost $30,000 to implement the product 
in its environment, and that price doesn't 
include a maintenance agreement. How¬ 
ever, if you need to regularly change your 
local Administrator and service account 
passwords, and need to be able to check 


out these passwords with an audit trail, 
then you owe it to yourself to look into this 
capable product. I am extremely impressed 
with ERPM. 
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Enterprise Random Password 
Manager 4.0 

PROS: This robust product securely changes 
system passwords on a set schedule and lets 
you access passwords via a check-in/check-out 
procedure; easy to set up and configure; 
intuitive GUI 

CONS: The product's high price 

RATING: ♦♦♦♦0 

PRICE: Starts at $25,000 and is licensed per 
server and workstation/OS 

RECOMMENDATION: If you want to secure 
those accounts whose passwords never get 
changed and need to audit who has access to 
those passwords, Enterprise Random Password 
Manager is the solution for you. 

CONTACT: Lieberman Software * www.liebsoft 
)m»800-829-6263 



| Recovered Password for Account: XP2\Administrator 

IT 
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You have checked out this password, Your checkout will expire in 

O days, 02 hours and OO minutes. 

Extend Checkout Checkin 


Figure 1: Checking out a password to gain access to a system 
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55% of SQL Server Magazine subscribers visit sqlma g.com on a 
monthly basis. 

40% pass along their issues of SQL Server Magazine to at least 
one additional person. 

It delivers technical, tactical, and industry information that 
empowers DBAs, developers, and Bl architects to do their 
jobs better. 

62% of readers spend I -3 hours reading a typical issue. 
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GPExpert Desktop 
Policy Manager 

To read the full review, go to www.windowsitpro 
.com and enter InstantDoc ID 100401 . 

Group Policy is invaluable for managing 
Windows client systems, but it's complex 
and difficult to understand and work with. 
GPExpert Desktop Policy Manager (DPM) 
from SDM Software attempts to make 
getting started with and managing client 
system policies easier and helps you cre¬ 
ate policies that actually do what you need 
them to do. I downloaded a copy of DPM 
1.0 and put it through its paces to see how 
easy and functional it really is. 

Installation 

You can choose to install DPM's two compo¬ 
nents—the DPM Service and the DPM Web 
Portal—on one server or place the portal on 
an existing web server. I first tried to install 
DPM on a system running Windows Server 
2003 x64 Edition, but after I ran into some 
problems, an SDM representative told me 
something that the documentation didn't: 

A 64-bit version of DPM is not currently 
available. I then installed the product on a 
32-bit Windows 2003 R2 system and had no 
further problems. 

When prompted, I provided an Active 
Directory account that had permissions to 
create, edit, delete, and link Group Policy 
Objects (GPOs).The installation created two 
groups: Desktop Policy Manager Approv¬ 
ers and Desktop Policy Manager Users. You 
populate these groups to specify who can 
create profiles in DPM and who can approve 
them. The entire install process took only a 
couple of minutes. 

Creating Profiles 

DPM uses "profiles"to refer to a particular 
group of policy settings. Creating a profile is 
a four-step, wizard-driven process. First, you 
specify a name, description, and scope (per 
user or per computer) for the profile. You then 
select one or more templates to determine 
which settings will be available for configura¬ 
tion through the profile. In the third step, you 
specify the actual settings that will define the 
GPO. Finally, you configure the target or tar¬ 
gets to which the new GPO will apply. 



REVIEW 



Figure 1: The Desktop Policy Manager Web Portal 


DPM provides useful per-user and per- 
computer templates that you can use to 
easily manage clients via Group Policy. For 
example, there are templates for software 
deployment, group memberships, drive 
and printer mappings, and Internet browser 
security. The value of DPM lies in its use of 
profiles to configure policies. Profiles collect 
the applicable settings in one place and let 
you configure them without having to navi¬ 
gate the Microsoft tools and know which 
settings you need and where to find them. 

Workflow 

DPM uses a workflow methodology for 
GPO submission and approval. Members of 
the Desktop Policy Manager Users Group 
can create GPOs, which are then submitted 
by default to the Desktop Policy Manager 
Approvers Group for approval. You can 
make one person a member of both groups 
to streamline the process. 

The left pane of the DPM interface, 
which you can see in Figure 1, lists all pro¬ 
files and their approval status. It also pro¬ 
vides options to work with the profiles. 

Analysis 

I used DPM to create an array of GPOs and 
tested the workflow elements using differ¬ 
ent accounts. I was impressed with the ease 
with which complex GPOs can be created 


and targeted to user and computer objects. 
The GPExpert team's foundational knowl¬ 
edge of policy settings pays off by letting 
you create GPOs quickly and know that you 
have an appropriately configured policy. 

This product is a good choice for admin¬ 
istrators whose time is stretched or who 
need to deploy desktop management poli¬ 
cies without learning the nuances of Group 
Policy and its thousands of settings. DPM 
lets admins easily set and enforce standards 
for numerous important desktop configura¬ 
tion items. If you're already a Group Policy 
veteran, however, you might not get much 

bang for your buck. W 

InstantDoc ID 100401 

GPExpert Desktop Policy Manager 

PROS: Quick install; creates complex GPOs 
quickly and easily 

CONS: No 64-bit version; somewhat pricey; not 
much value for experienced GPO users 

RATING: ♦♦♦OO 

PRICE: $625 for up to 25 desktops; volume 
discounts available 

RECOMMENDATION: DPM is a good choice for 
those who need to deploy desktop management 
policies without learning the nuances of Group 
Policy; Group Policy veterans might not get as 
much value from the software. 

CONTACT: SDM Software • 415-670-9302 • 
www.sd m softwa re.com 


Ed Roth | roth_ed@comcast.net 
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REVIEW 


iPhone 3G: Still Not Quite Ready 
for Enterprise Email 


Read the complete review at www 
.windowsitpro.com , InstantDoc ID 100479 . 


When Apple launched the iPhone in June 
2007, the company immediately grabbed 
an immense amount of mindshare. How¬ 
ever, the first iPhone, cool as it was, wasn't 
a very good email client. It didn't sync with 
Microsoft Exchange Server, lacked a VPN cli¬ 
ent, and couldn't run third-party programs. 
Here, I review the iPhone 3G, focusing on 
how well it works as a mobile email device 
compared with Windows Mobile 6.1. For my 
tests, I used the iPhone 2.1 software update, 
released in September 2008. 

Basic Email Functionality 

Let's start with email. Apple got the single 
biggest item right: Push email works prop¬ 
erly. Mail arrives when it's supposed to, 
and you can send replies the way you're 
supposed to. As you can see in the sample 
iPhone email page in Figure 1, HTML mail 
displays beautifully. 

That said, several rough spots exist in 
Apple's implementation. The most notice¬ 
able one is the poor behavior of the iPhone 
client when you're offline. Any attempt you 
make to move or delete messages when 
the device isn't connected via WiFi or cel¬ 
lular means results in an error dialog box 
displaying. Another shortcoming is that 
the iPhone client expands every folder in 
your mailbox when you navigate between 
folders or accounts, making it needlessly 
difficult to move directly to an individual 
folder. 

Additionally, Apple isn't using the 
proper Exchange ActiveSync (EAS) verbs 
for message replies and forwards. EAS 
"smart reply" and "smart forward" verbs let 
applications tell the server to include the 
relevant message text, and the verbs also 
update the read/forwarded status so that 
other clients reflect the actions taken. 

You can't flag or unflag messages for 
follow-up or set out-of-office messages 
or timings with the iPhone, as you can do 
with Windows Mobile 6. In addition, the 
iPhone 3G frequently complains if you try 


to throw away a message that a client- or 
server-side junk filter has already moved 
elsewhere. 

Calendaring 

Disappointingly, the iPhone's calendar func¬ 
tionality is probably the weakest part of its 
Exchange support. The iPhone can accept 
and act only on invitations from other users 
on the same Exchange server. The calendar 
software lets you create new meetings on 
your own calendar, but you cannot invite 
others.The iPhone limits recurrence pat¬ 
terns to daily, weekly, biweekly, monthly, 
and yearly appointments (no more first- 
Thursday-of-every-month designations). 

You can't see or set the time zone for meet¬ 
ings, and there's no way to find free/busy 
times or suggested meeting times. Windows 
Mobile 6.1 's calendaring functionality is far 
superior. 

Tasks 

The iPhone doesn't include a built-in tasks/ 
to-do application. Apple missed the boat 
here, as this is a natural piece of functional¬ 
ity for a mobile device. In fact, there are doz¬ 
ens of such applications in Apple's iPhone 
App Store. 

Policy Control and Security 

Apple has implemented only some parts 
of the EAS protocol. In the security realm, 
this means that iPhones will honor the 
password-related policies you set for EAS 
devices. However, the iPhone doesn't rec¬ 
ognize the expanded policies introduced 
with Exchange Server 2007 SP1, and it won't 
work with Microsoft System Center Mobile 
Device Manager 2008 because the iPhone 
can't run the necessary client software. Win¬ 
dows Mobile devices warn you the first time 
you sync with a server that enforces a policy. 
The iPhone doesn't do this, so if you accept 
the policy, you're stuck with it. As a further 
annoyance, if you send a remote wipe 
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Figure 1: iPhone email client 

request to the iPhone, the device will take 
more than two hours to finish it. 

Not Quite the Right Stuff 

The iPhone does many things right: It has 
terrific fit and finish, the web browser is 
better than anything available on any other 
mobile device platform, and the Ul is pol¬ 
ished, fast, and easy to learn. Unfortunately, 
the iPhone just isn't up to par as a mobile 
enterprise email device. Windows Mobile 
6.1 's maturity gives it a clear edge in this 

case. V 

InstantDoc ID 100479 

iPhone 3G 

PROS: Superb interface; packed with features; 
supports Exchange ActiveSync (EAS); easy to 
operate 

CONS: Requires expensive data plans; offers 
poor calendar support; lacks a physical keyboard 

RATING: ♦♦♦OO 

PRICE: Monthly service plus $299 for 16GB 
model and $199 for 8GB model 

RECOMMENDATION: The iPhone is a slick, 
beautifully realized smartphone that provides an 
unparalleled Internet-browsing experience. Its 
EAS support is a good start but is weak compared 
with the latest crop of Windows Mobile devices. 

CONTACT: Apple «www.apple.com • 
408-996-1010 
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INSIGHTS FROM THE INDUSTRY 


Powerful Handheld Devices Open the Way for 
Remote Network Administration 


According to Rob Woodridge, president 
and CEO of administration solution pro¬ 
vider Rove, technology has "reached a 
point now where [mobile] devices are 
obviously so powerful that they're more 
powerful, probably, than the first computer 
you ever owned." I can certainly relate to 
his point. I purchased my first computer 
back in the early '90s and was pretty 
excited just to get email—not to mention 
learn about this thing called the Internet. 
Thinking back, it's hard to imagine that 
that computer could actually do any of the 
things I needed. It came with 4MB of RAM 
(later upgraded to a whopping 8MB!) and a 
120MB hard disk drive. I can't tell you what 
processor it had, but I think my toaster is 
more powerful than that machine was. 

Putting the capabilities of today's 
mobile devices to good use, Rove has cre¬ 
ated Mobile Admin, which lets IT pros use 
mobile devices to provide full administra¬ 
tive control over their IT environments. 
"Handheld devices are really a great exten¬ 
sion to your office. People are now realiz¬ 
ing, certainly with the iPhone coming out, 
that there's much more to offer than just 
email and calendaring,"Woodbridge said. 
"There's hundreds of thousands of applica¬ 
tions that are out there for these devices 
that have been just sitting there waiting for 
people to find them. And we happen to be 
one of them that fits a really amazing little 
niche." Mobile Admin lets IT staff respond 
to problems from anywhere, and the appli¬ 


cation interfaces with everything from 
Windows and Linux servers to your routers 
and switches. "Everything that you can do 
from within your firewall, in your server 
room, or from a terminal window, you can 
now do from your BlackBerry or Windows 
Mobile device,"Woodbridge said. 

The company's latest release, Mobile 
Admin 4.1, introduces enhanced access 
control and management capabilities 
intended to simplify IT administration, 
including Secure Shell and Telnet integra¬ 
tion for remote terminal access, and RDP 
and Virtual Network Computing integra¬ 
tion for remote, graphical administration 


of servers. After Mobile Admin is installed 
on a server, it replicates necessary compo¬ 
nents to other servers and client devices. 
Through Mobile Admin, IT support staff 
can perform tasks such as restarting ser¬ 
vices, rebooting servers, changing pass¬ 
words on Exchange Server mailboxes, and 
reviewing event logs. 


The target market for Mobile Admin is 
the large enterprise with multiple servers 
and systems to support. The software lets 
you work with a mixed environment of OSs 
and with different types of mobile devices. 
However, Woodbridge was quick to point 
out that "small and medium enterprises 
benefit from this as well. Oftentimes with 
thirty to three hundred people in a com¬ 
pany, you know they're running ragged 
already. So the last thing that they can 
afford to do is have downtime, especially 
prolonged downtime." And, really, who in 
any size business can afford downtime? 
"The power is the ability to not have to be 


tied to a desk in order to be on call or for IT 
support,"Woodbridge said. 

So what is Mobile Admin's main com¬ 
petitor? "We've come to look at the status 
quo as the competitor—the people who 
still log on with their desktops, the guys 
who still lug around laptops ... and take 
fifteen, twenty, or thirty minutes to react to 
something that could have taken a minute 
and a half from the device,"Woodbridge 
said. "So really it's legacy thinking that's our 
chief competitor." 

You can find out more about Mobile 
Admin 4.1 a t www.rovemobile.com. 

—B.K. Winstead 

InstantDoc ID 100465 


Wanted: Your Real-World Experiences with Products 

Have you discovered a great product that saves you time and money? Do you use 
something you wouldn't wish on anyone? Tell the world in a review right 
here in What's Hot: Readers Review Hot Products. If we publish your opinion, 
we'll send you a Best Buy gift card and a free VIP subscription to Windows IT 
Pro\ Send information about a product you use and whether it helps you or 
hinders you to whatshot@windowsitpro.com. 


gift 


"Everything that you can do from within 
your firewall, in your server room, or from 
a terminal window, you can now do from 
your BlackBerry or Windows Mobile device." 

—Rob Woodridge, president and CEO of Rove 
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How Can IT Pros Thrive in Tough Times? 


One of my three sons is a financial analyst who manages millions 
of dollars for his employer. He told the family in March that Octo¬ 
ber would be the time when the financial markets would collapse, 
and he told us why. We thought he was a bit out of his mind, but 
heck, we love him, so we listened and nodded our heads and 
hoped he was wrong. 

Now I'm caught between pride at his forecasting abilities and 
fear of what's happening across the United States and around 
the world. How do I deal with my fear? By doing research—which 
means I've read numerous blogs and articles that advise how to 
get through these uncertain times. 

One tip I like, while not always practical, is that IT pros should 
focus on keeping their skills current and adding new skills. To me, 
that's always meant going back to school, which can get expensive 
unless your employer is footing the bill. 

But this week, I had this major little epiphany, this moment of 
"duh." Hey, why not do it yourself? Why put your learning goals in your 
employer's lap or a college's? There's a strong history of do-it-yourself 
training among IT pros. I know several who regularly create their own 
learning plan for the skills or knowledge they want to acquire, then 
plot out a timetable of steps to achieve it, setting aside time for study 
in the morning before work or in the evening before bedtime. 

I can't say for sure what will work for you, but it seems to me 
that an hour or two of focused attention every day can pay off in a 


few months, depending on the skills and knowledge you want to 
acquire. Luckily, numerous resources exist online to help you, from 
Microsoft's virtual labs to how-to articles, white papers, e-books, 
podcasts, and videos from Windows IT Pro , among many others. 

I've been enjoying the little snippets of knowledge John Savill 
offers in his FAQs, especially the down-and-dirty facts that are easy to 
digest during my lunch break. I've also recently discovered his web¬ 
casts, where he takes you step by step through technology, like his 
recent video "How to Use the Microsoft iSCSI Initiator Command-Line 
Interface,"a t tinyurl.com/htu-iSCSI. (Okay, I'll admit it—I'm a sucker for 
his British accent.) 

One thing I do know is that IT people are wickedly resourceful 
when it comes to learning. It's amazing how you figure out how 
to deal with technology that didn't even exist a few years ago—as 
well as successfully deal with bugs, crashes, upgrades, crazy man¬ 
agers, clueless users, low budgets, and uncertainty. 

So maybe I should be asking you for advice (though you might 
be too busy putting out fires to give it—I understand completely). 
Still, I'm curious about how you are getting by in these chaotic 
times. I'm also curious to know if there's anything we could do to 
help you do your work better. Send me an email at cmarwitz@ 
windowsitpro.com. 

—Caroline Marwitz 
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What Mail Server Are You Using? 


A recent nonscientific Instant Poll on www.windowsitpro.com 
asked the question "What is the primary mail server you support in 
your organization?" Here are the results: 

• 30 percent use Exchange Server 2007 

• 64 percent use Exchange Server 2003 

• 2 percent use Exchange 2000 Server 

• 1 percent use Exchange Server 5.5 

• 4 percent use something else 

These results seem to confirm what we've heard from our read¬ 
ers over the past 6-12 months: More than twice as many of you 
are sticking with Exchange 2003 instead of upgrading to 2007. 
From the responses to previous poll questions and from reader 
feedback, the big reasons for not making the switch are a desire 
to avoid the increased complexity of Exchange management that 
attends the multi-role Exchange 2007 (not to mention that whole 
PowerShell thing) and budget concerns due in part to the need to 
upgrade to 64-bit hardware. Although Exchange 2007 offers some 
great features, there's no incentive to upgrade if you don't need 


Exchange Server is certainly the dominant mail server in 
operation—it's probably even more dominant among those in 
our Windows IT Pro audience than in other organizations. But even 
in the Windows world, a vocal minority is looking for Exchange 
alternatives. In last month's Everything But Microsoft column, Jeff 
James wrote about the Exchange-alternative market—read it at 
InstantDoc ID 100311 . Also, here are some other articles on alter¬ 
natives: 

• "Groupware Alternatives to Microsoft Exchange," InstantDoc ID 
50597 

• "Kerio MailServer 6.1," InstantDoc ID 48792 

• "PostPath Offers a Linux-based Exchange Alternative," Instant¬ 
Doc ID 96670 

• "What's Hot: Reader Review,"SmarterMail 5.x, InstantDoc ID 100058 

If you've used any of these products—or another Exchange alter¬ 
native—we'd love to hear about it. What made you pick the one 
you did, and how has it performed? You can help other readers 
who are struggling with such decisions. 


These results seem to confirm what we've heard from our readers 
over the past 6-12 months: More than twice as many of you are 
sticking with Exchange 2003 instead of upgrading to 2007. 


those features and Exchange 2003 is serving your needs. 

One thing the poll doesn't address is how many of you manage a 
mixed environment of Exchange 2007 and Exchange 2003. And there 
might be good reasons for doing so; see, for example, "Deployment 
Blockers for Upgrading to Exchange Server 2007"at InstantDoc ID 
98509. A mixed environment lets you introduce some of Exchange 
2007's new features, such as the Edge Transport role for message 
hygiene, at a lower cost than transitioning your whole organization, 
but it undoubtedly makes management more complex. 


With the next Exchange release perhaps little more than a year 
away, how many of you plan to investigate and possibly switch to 
the new version when it's released? Will organizations already on 
Exchange 2007 be more inclined to switch (because, presumably, 
they've already got the hardware in place), or will Exchange 2003 
admins feel it's time to leapfrog when they get the chance? Ah, 
perhaps that's the source of a future poll question. ^ 

—B.K. Winstead 
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P.O.Box 543 
Fort Collins, Co 80522 


be-i la-t(9-)r9l 

(adj.): of or 
relating to both 
the front and back 
ends of business 
intelligence 


Windows 
IT Pro 
is your 
definitive 
source for 
Bl tools. 


| LEARN | from the top Bl experts such 
as Derek Comingore and Dan Holme. 

|BUILDj the best platforms and reports 
with help from SQL Server Magazine. 

| MASTER! data-delivery with front-end 
solutions in Windows IT Pro magazine. 

| SET! how-to information, industry 
trends, and commentary by experts 
with the new Essential Bl UPDATE 
e-newsletter. 

Choose the resource 
that's right for you. 

www.windowsitpro.com/go/MyBI 


WindowsITPro SSSServer 




"More Power, More Tools" | February 2009 


For more information: winitmag.pri maitoois.com 
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DIRECTORY OF SERVICES 


AD INDEX 


Windows IT Pro Network 


Search our network of sites dedicated to hands-on 
technical information for IT professionals. 

www.windowsitpro.conn 

Support 

Join our discussion forums. Post your questions 
and get advice from authors, vendors, and other IT 
professionals. 

www.windowsitpro.com/forums 

News 

Check out the current news and information about 
Microsoft Windows technologies. 

www.wininformant.com 


EMAIL NEWSLETTERS 

Get free NT/2000/XP/2003 news, commentary, and 
tips delivered automatically to your desktop. 
Essential Bl UPDATE 
Exchange & Outlook UPDATE 
.NET Briefing 
Scripting Central 
Security UPDATE 
SQL Server Magazine UPDATE 
Virtualization UPDATE 
Vista UPDATE 
Windows IT Pro UPDATE 
Windows Tips & Tricks UPDATE 
Winlnfo Daily UPDATE 

www.windowsitpro.com/email 

RELATED PRODUCTS 

Custom Reprint Services 

Order reprints of Windows IT Pro articles. Contact 
Diane Madzelonka at Diane.madzelonka@ 
penton.com . 

Super CD/VIP 

Get exclusive access to all of our print publications, 
including Windows IT Pm, via the new, banner-free 
VIP Web site. 

www.windowsitpro.com/sub/vip 

Article Archive CD 

Access every article ever printed in Windows IT Pro 
magazine since September 1995 with this portable 
and speedy tool. 

www.windowsitpro.com/sub/cd 

SQL SERVER MAGAZINE 

Explore the hottest new features of SQL Server, and 
discover practical tips and tools. 

www.sqlmag.com 

ASSOCIATED WEB SITES 

WindowsDev Pro 

Discover up-to-the-minute expert insights, infor¬ 
mation on development for IT optimization, and 
solutions-focused articles atWindowsDevPro.com, 
where IT pros creatively and proactively drive busi¬ 
ness value through technology. 

www.windowsdevpro.com 

Office & SharePoint Pro 

Dive into Microsoft Office and SharePoint content 
offered in specialized articles, member forums, 
expert tips, and Web seminars mentored by a com¬ 
munity of peers and professionals. 

www.officesharepointpro.com 

www.windowsitpro.com 
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■CTRL+ALT+DEL 

by Jason Bovberg 


You've heard of sniglets, right? They're 
words that should be in the dictionary 
but aren't. Rich Hall of Saturday Night Live 
fame wrote a few books full of them. We 
stumbled on some hilarious IT-related 
sniglets a tWhatls.com (whatis.techtarqet. 
com) . Here are our 10 favorites. How 
about yours? Send them in! 

bGG break — The act of sneaking 
off to the bathroom to use a BlackBerry 



J_ 



blamestorming - Sitting 


crapplet - A poorly written or 

totally useless Java applet 

G-dundanCy — Sending someone an 
email message while simultaneously taking 
part in an IM conversation with that person 

GgOSUrf— To search for yourself on 
Google or another search engine 

idiot error - Help desk lingo for 

"clueless end-user" 




Macromedia Dreamweaver 


No error occurred. 


I wish this notification hadn't occurred Where!?!? 

IwatchGuard System Manager 


Severe 


A Severe Error has occurred 


T\ W5M was unable to connect to the device. The following error has occurred: Success 


Redefining basic assumptions 


The age, 
in years, of the 
Internet 


around in a group, discussing why a 
deadline was missed or a project failed, 
and who was responsible 


Bluetooth 

f3 i fy— Someone 
who walks around 
with a blinking Blue¬ 
tooth headset perma¬ 
nently affixed to his 
or her ear 


OhnOSGCOnd — That instant when 
you realize you've pressed the wrong key and 
deleted hours, days, or weeks worth of work 


spamouflage — An inten- 

tional typo, such as "Vikagra," used 
by spammers to fool spam filters 


freeware Documents 

made of paper, as opposed to 
electronic documents 


December 2008 issue no. 172, Windows IT Pro (ISSN 1552-3136) is published monthly. Copyright 2008, Penton Media, Inc., all rights 
reserved. Subscriptions in US, $54.95 for one year; in Canada, $59 US currency, plus GST for one year; in all other countries, US 
$99. Windows is a trademark or registered trademark of Microsoft Corporation in the United States and/or other countries, 
and Windows IT Pro is used under license from owner. Windows IT Pro is an independent publication not affiliated with Micro¬ 
soft Corporation. Microsoft Corporation is not responsible in anyway for the editorial policy or other contents of the publication. 
Windows IT Pro, 221 E. 29th St., Loveland, CO 80538, (800) 793-5697 or (970) 203-2782. Sales and Marketing Offices: 221 E. 29th 
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SUBSCRIBERS: Send all inquiries, payments, and address changes to Windows IT Pro, Circulation Department, 221 E. 29th St., 
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SEND US YOUR INDUSTRY HUMOR! 

Email your industry humor, scandal¬ 
ous rumors, funny screenshots, favorite 
end-user moments, and IT-related pics 
t o rumors@windowsitpro.com. If we use 
your submission, you'll receive a 
Ctrl+Alt+Del coffee mug. 
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GIVE YOUR DATA’S 
CONTINGENCY PLAN 
A CONTINGENCY PLAN. 



Xeon 

inside ™ 

Powerful. 

Efficient. 



OR $23/ MONTH FOR 36 MONTHS 1 

The more valuable your data, the more you need to protect it. 
Redundancy is critical. Like in the IBM System x3350™ Express. 
It comes with integrated RAID. Can our competitors say that? 
So if there’s ever an unexpected problem on one drive, your 
business can keep running. Because the data you need is 
available in another location. Anytime you need it. Smart plan. 

From the people and Business Partners of IBM. 

It’s innovation made easy. 


HELP KEEP YOUR DATA SAFE AND ACCESSIBLE. 



PN: 4192E1U _ 

Featuring Intel® Xeon® Processor (up to 3.0 GHz/6 MB/1333 MHz) 

Predictive Failure Analysis and Light Path Diagnostics, redundant, 
hot-swappable power supplies and fans and up to 4 hard disk drives 

Comes with a 1 -year or 3-year customer replaceable unit and on-site 
limited warranty 2 


IBM SYSTEM x3650 EXPRESS 

$ 5,409 

OR $139/ MONTH FOR 36 MONTHS 1 

PN: 7979EVU 



IBM SYSTEM STORAGE 
DS3400 EXPRESS 

$ 4,319 

OR $111/ MONTH FOR 36 MONTHS 1 

PN: 172641E 



Featuring up to two Intel® Xeon® Processors x5355 External Disk Storage with 1 Gbps Fibre Channel interface technology 

Hot-swap redundant cooling, power and hard disk drives for high availability Built-in reliability features with dual-redundant power supplies standard 

Comes with a 3-year on-site limited warranty 2 on parts and labor 


IBM EXPRESS “BUNDLE AND SAVE” 

We bundle our Express systems to give you the accessories 
you need - while saving you money on the hardware you want. 
Act now. Available through ibm.com and IBM Business Partners. 


express 
: =~= advantage 7 ' 


ibm.com/systems/safedata 
1 866-872-3902 (mention 6N8AH09A) 


1. IBM Global Financing offerings are provided through IBM Credit LLC in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government customers. Monthly payments provided are for planning 
purposes only and may vary based on your credit and other factors. Lease offer provided is based on an FMV lease of 36 monthly payments. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice. 

2. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. For a copy of applicable product warranties, visit: ibm.com/servers/support/machine_warranties or write to: Warranty 
Information, P.O. Box 12195, RTP, NC 27709, Attn: Dept. JDJA/B203. IBM makes no representation or warranty regarding third-party products or services, including those designated as berverKroven 0 or uusterKroveir. leiepnone support may be subject 
to additional charges. For on-site labor, IBM will attempt to diagnose and resolve the problem remotely before sending a technician. On-site warranty is available only for selected components. Optional same-day service response is available on [select] 
systems at an additional charge. 

IBM, the IBM logo, IBM Express Advantage, System x and System Storage are trademarks of International Business Machines Corporation in the United States and/or other countries. For a complete list of IBM trademarks, see www.ibm.com/leaal/coDvtrade.shtml . 
Intel and Xeon are registered trademarks of Intel Corporation. All other products may be trademarks or registered trademarks of their respective companies. All prices and savings estimates are based upon IBM’s estimated retail selling prices as of 8/20/08. 
Prices and actual savings may vary according to configuration. Resellers set their own prices, so reseller prices and actual savings to end users may vary. Products are subject to availability. This document was developed for offerings in the United States. 
IBM may not offer the products, features, or services discussed in this document in other countries. Prices are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative 
or IBM Business Partner for the most current pricing in your geographic area. ©2008 IBM Corporation. All rights reserved. 
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THOUGHTS ON THE EVOLUTION OF 
THE DATACENTER 


Server 

virtualization? 


How about 
data center 
virtualization? 


BROCADE: THE FIRST STEP IN DATA CENTER VIRTUALIZATION. 

How do you reap the benefits of virtualization without abandoning your existing technology? 
The Brocade Data Center Fabric (DCF) architecture. This strategic framework gives you the 
performance, scalability, and reliability to embrace technologies like server virtualization 
today and a virtualized data center tomorrow—leveraging the hardware and software 
you already own. Learn how Brocade can power your next-generation data center at 
www.brocade.com/virtualization 


BROCADE 


© 2008 Brocade Communications Systems, Inc. All rights reserved. Brocade is a registered trademark, and the B-wing symbol is a trademark 
of Brocade Communications Systems, Inc. 
























































































